Book Review: "Web Security Sourcebook", Aviel D. Rubin/Daniel Geer

Book Review: "Web Security Sourcebook", Aviel D. Rubin/Daniel Geer

Post by Rob Slad » Mon, 28 Sep 1998 04:00:00


"Web Security Sourcebook", Aviel D. Rubin/Daniel Geer/Marcus J. Ranum,
1997, 0-471-18148-X, U$29.99/C$42.50

%A   Daniel Geer
%A   Marcus J. Ranum
%C   5353 Dundas Street West, 4th Floor, Etobicoke, ON   M9B 6H8
%D   1997
%G   0-471-18148-X
%I   John Wiley & Sons, Inc.
%O   U$29.99/C$42.50 416-236-4433 fax: 416-236-4448
%P   350 p.
%T   "Web Security Sourcebook"

As Steve Bellovin notes in the foreword, complexity and security are
antithetical.  To have a complete picture of the security of a single
transaction in World Wide Web activity one must consider the hardware
of the user, the operating system of the user, the client software of
the user, the hardware of the host, the operating system of the host,
the server software of the host, the base transport protocol, the
higher level (generally HTTP: the HyperText Transport Protocol)
protocol, the general structure of the network itself, and the various
forms of content.  To expect a short book to cover all of this
material is unrealistic.  The current work, however, is of
inconsistent quality and falls short even of a much reduced target.

Chapter one looks at basic Web history and technology plus a few
illustrative security loopholes.  While basic browser security
information is presented in chapter two, the presentation is
disorganized and seems to stress some relatively improbable risks.  On
the other hand, it does point out some important and little known
problems with Internet Explorer.  Advanced browser security lists a
good deal of misinformation about cookies (along with some real dope)
and discusses anonymous remailers in chapter three.

The discussion of scripting, in chapter four, is simplistic in the
extreme.  While I would personally agree with the assessment that
JavaScript and ActiveX are not worth the security hazards they
represent, these technologies deserve more than the terse dismissal
they receive in the text.  Java gets somewhat more detailed discussion
but the authors do not appear to distinguish between design factors
and specific implementation bugs limited to a given platform.  Server
security is limited to UNIX permissions in chapter five.  Chapter six
looks primarily at commercial cryptographic products, but without
having built a solid foundation for their effective use.  Scripting is
again reviewed in chapter seven, this time concentrating on (again)
UNIX CGI (Common Gateway Interface) programming for sanitizing input
from users.

The overview of firewall technologies in chapter eight is reasonable
and balanced, citing the different types of firewalls, their strengths
and weaknesses, and the fact that firewalls can only be one tool in a
larger security strategy, never a complete answer.  Chapter nine
presents the different protocols in transaction security quite well,
but fails to give an analysis of the social and market forces that are
equally important to the overall picture.  Some systems for electronic
payment are compared in chapter ten.  Predicting the future is, of
course, problematic, but chapter eleven seems to contains more faults
than can legitimately be said to be inherent to the process.  As only
one example, the authors look forward with trepidation to "network
aware" viruses.  I'm sorry to tell you this, guys, but the proof of
that concept happened in the wild more than a decade before you wrote
the book, and has transpired depressingly often since.

The presentation of this text as a sourcebook is probably valid on the
one hand: the primary value of the tome lies in the mention of various
commercial systems related to Web security.  It cannot, however, be
recommended as a sole source.  Both a conceptual background and an
overall review of the totality of Web security factors are missing.
There are interesting points in the book, and even useful tips, but
while it may belong on the bookshelf of the dedicated Web
administrator it is not necessarily a must read for those with limited

copyright Robert M. Slade, 1998   BKWBSCSB.RVW   980711


1. Book Review: "The Ultimate Web Developer's Sourcebook" by Sawyer


"The Ultimate Web Developer's Sourcebook", Ben Sawyer, 1996, 1-57610-000-6,

%C   7339 East Acoma Drive, #7, Scottsdale, AZ  85260
%D   1996
%G   1-57610-000-6
%I   Coriolis
%O   U$49.99/C$69.99 800-410-0192 +1-602-483-0192 fax: +1-602-483-0193
%P   704
%T   "The Ultimate Web Developer's Sourcebook"

The real value in this book is contained in the contacts.  Graphics
tools, sound applications, video programs, multimedia packages, Web
servers, CGI (Common Gateway Interface) tools, books, magazines,
companies, and groups: this lists, overviews, and contact information
goes on for chapters.  The listings do tend to be more exhaustive than
analytical, but you are almost bound to find some tool or resource
that you are looking for *somewhere* in these pages.

As for the rest, Sawyer tries to provide the concepts that
professional developers will need on a daily basis.  This is probably
too ambitious a task: the operative word seems to be "tries".  There
are some very good ideas in the design of the book: one chapter
concentrates on the various emerging technologies on the Web, relating
each to "what this means for developers".  Unfortunately, most of the
advice is of the "wait and see what develops" form.

Look at it as a phone book, rather than a tutorial, and you'll be

copyright Robert M. Slade, 1996   BKWBDVSR.RVW   961218

2. dns internet et domaine local

3. Book Review: "Web Security: A Step-by-Step Reference Guide"

4. Text formatting bug in Pine 3.89 for SunOS?

5. Book Review: "The VRML Sourcebook" by Ames/Nadeau/Moreland

6. FS Encad NovaJet3 w/PS RIP

7. Book Review: "HTML Sourcebook" by Graham

8. SPSS-syntax of contrasts using GLM

9. Book Review: "Web Security", Rohit Khare

10. Book Review: "The VRML Sourcebook" by Ames/Nadeau/Moreland

11. Book Review: "The Web Page Recipe Book" by Sosinsky/Parker

12. Book Review: "World Wide Web Journal: Industrial Strength Web"

13. Book Review: "World Wide Web Journal: The Web After Five Years"