Book Review: The Tangled Web – A Guide to Securing Modern Web Applications

Posted: 26th January 2012 by Josh in Uncategorized
0

Amazon just posted my 5 star review of  The Tangled Web – A Guide to Securing Modern Web Applications by Michal Zalewski.  (Reposted here)

I have to say, I wasn’t quite sure what to expect when I received a review copy, as there seems to be a glut of “Securing Web Apps” books out there, and from what I have seen, not that many great ones.  However, Zalewski is well-known within the security industry, so I had higher than normal expectations.

Zalewski starts out with his take on Information Security Management, and this small section probably deserves its own blog post entirely, but suffice to say that Zalewski is a pragmatist in this area–indeed, his 3 principles that he prescribes are:

1) Learning from (preferably other people’s) mistakes

2) Developing tools to detect and correct problems

3) Planning to have everything compromised.

Though I would agree with all three, the third principle resonates the strongest with me,  as this is one of Richard Bejitlich’s favorite things to say, and I have taken it to heart.

With the intro to Information Security out of the way, Zalewski takes the reader through a brief history of the web, and the evolution of the threat.  This was one of my favorite sections of the book, as it gave the much needed context to the issue of web security.

Being very young when the first browser wars started (1995ish), I have never understood why it mattered for web security…. Understanding the Wild Wild West-esqueness of those early days, and how each browser tried to one-up each other on web features, brings much clarity to why the security landscape of the web is so pockmarked with half-forgotten/half-thought out features that can be exploited for much gain.

Zalewski then moves from history to an anatomy of the web, picking apart the very structure of the web: URLs, HTTP, HTML, CSS, Scripting, etc…  This is great reference material for a theoretical and practical understanding of what makes up the web from a technical standpoint–Zalewski continually points out differences in how different browsers implement specific features.

The rest of the book delves into web and browser-specific security issues, starting with a great treatise on one of the foundational security principles of the Web, Same-Origin Policy.

I will most likely be writing a couple other blog posts on some of the specific security issues that are dealt with here.

The book finishes with some time dedicated to looking forward to future security mechanisms that are on the horizon, along with the pros and cons of them.

All in all, a fantastic book on the current state of affairs for web security, and one which I cannot help but classify as 5 stars.

A couple closing thoughts:

-The security engineering cheat sheets at the end of each chapter is a great way to keep it practical…. I am thinking about finding a way to pull all of the cheat sheets together for a small booklet to refer back to.

-This was the first epub book I have read on my iPad, and I throughly enjoyed it…. Thanks to No Starch for providing epubs and not just pdfs!

-Josh

 

Passed the GIAC GCIA Exam…

Posted: 19th December 2011 by Josh in Uncategorized
Tags: ,
2

Last month I passed the GIAC GCIA (Intrusion Analyst). I found the exam to be much more difficult than my previous GIAC Exams, primary for two reasons:

1) There were a number of tools that had been discussed in the class… There were a number of questions on the exam about these tools–Not “In what situation would you use this tool?” questions, but “What syntax would you use to get this output?” type questions. Most of the syntactical answers were esoteric switches that were neither mentioned in class, nor in my study books, which was why it was very frustrating to find it on the exam. I flagged these questions for review by GIAC, as I don’t think that they were legitimate.

2) The other reason why this exam was more difficult, was that a number of the questions requried a bit of actual work & calculation, instead of just looking up the right answer–Though this made the exam much more difficult, I thought it was a great change from my previous GIAC exams, as it took it one step closer to real life experience, rather than just “multiple-guess.”

I will be working on my GCIA Gold next.

 

-Josh

Book Review: Practical Packet Analysis

Posted: 5th September 2011 by Josh in Reviews
0

My 4-star review of Practical Packet Analysis: Using Wireshark to Solve Real-World Network Problems was just published on Amazon.  I will repost it here.

I was hoping for something a bit more in-depth, but I would have to say that this book is directed to audiences that do not know much of the fundamentals of networking, much less Wireshark. With that in mind, I did breeze through the book: 
The first couple chapters are a primer on networking, and then installing Wireshark. The rest of the book goes through common protocols that you will find when sniffing, and then troubleshooting some real-world problems using Wireshark. (“Slow” network, security issues, etc) 

I found the book to be well-written and it seems much better in accuracy than the previous edition, which had some pretty embarrassing errors. 

I think it could be a very useful book for the person who wants a leg up on using Wireshark in a practical scenario–just be aware that most of the content is geared for beginners. 

(Disclaimer: The publisher sent me a free copy of this book to review.)

-Josh

Older Entries