"Web Security: A Step-by-Step Reference Guide", Lincoln D. Stein,
1998, 0-201-62489-9, U$29.95
%C P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario M3C 2T8
%I Addison-Wesley Publishing Co.
%P 448 p.
%T "Web Security: A Step-by-Step Reference Guide"
As it happened, this book came off the stack on a night when I wanted
nothing more than to wander off to bed. Despite my sleep deprivation
I managed not only to finish the book, but even to enjoy it. Any
technical book with security in the title that can hold interest like
that has to have something going for it.
The book covers all aspects of Web security, as laid out in chapter
one: the client or browser concern for privacy and safety of active
content, the Web server concern for availability of service and
prevention of intrusion, and the concern that both share for
confidentiality and fraud. Chapter two provides a brief but accurate
overview of cryptography as the backbone of secure systems operating
over unsecured channels. (There is only one oddity that I noted, when
512 bit RSA public key encryption was compared in strength with 40 bit
RC2 and RC4 systems.) More of the basics like Secure Sockets Layer
(SSL) and Secure Electronic Transactions (SET) are described in
chapter three, along with various forms of digital cash.
Part two looks at client-side security, with further discussions of
the use of SSL in chapter four. Chapter five details active content,
with particular attention to ActiveX and Java. "Web Privacy," in
chapter six, is an excellent and practical guide to the realities and
myths about information that can be gleaned from your browsing
activities. Included are practical tips about keeping your system
from finking on you. (Windows users should note that the files
referred to are not always in the paths specified, due to the variety
of ways that Windows programs can be installed.)
The bulk of the book, as might be expected, deals with server-side
security, this being the slightly more complex side of the issue.
Chapter seven provides an overview of the various vulnerabilities and
loopholes to watch and plug. UNIX and Windows NT servers are dealt
with in chapters eight and nine respectively. These chapters don't
assume much familiarity with the system security functions of the
systems, but do stick primarily to the server specific topics. Access
control is a major part of any security setup, and is covered in
chapter ten. Encryption and certificates are revisited in chapter
eleven, concentrating on use in access control. CGI (Common Gateway
Interface) scripting has been a major source of Web security risks,
and chapter twelve points out safe, and unsafe, practices in
programming scripts. Chapter thir* discusses remote authoring and
administration. Firewalls are often seen as the be-all and end-all of
Internet security, and Stein covers the reality in chapter four*.
Each chapter contains references to both online and printed sources of
information, and these resources are all of high quality and useful.
As noted, the book is not only readable, but even enjoyable. The
writing is clear and accurate, giving the reader both concepts and
practical tasks in minimum time with maximum comprehension. Although
the bulk of the book is for Webmasters, the casual user can not only
read it but get a great deal of value from it. Any ISP that does not
have it on their customer support bookshelf should held criminally
copyright Robert M. Slade, 1998 BKWEBSEC.RVW 980201