Amazon just posted my 5 star review of The Tangled Web – A Guide to Securing Modern Web Applications by Michal Zalewski. (Reposted here)
I have to say, I wasn’t quite sure what to expect when I received a review copy, as there seems to be a glut of “Securing Web Apps” books out there, and from what I have seen, not that many great ones. However, Zalewski is well-known within the security industry, so I had higher than normal expectations.
Zalewski starts out with his take on Information Security Management, and this small section probably deserves its own blog post entirely, but suffice to say that Zalewski is a pragmatist in this area–indeed, his 3 principles that he prescribes are:
1) Learning from (preferably other people’s) mistakes
2) Developing tools to detect and correct problems
3) Planning to have everything compromised.
Though I would agree with all three, the third principle resonates the strongest with me, as this is one of Richard Bejitlich’s favorite things to say, and I have taken it to heart.
With the intro to Information Security out of the way, Zalewski takes the reader through a brief history of the web, and the evolution of the threat. This was one of my favorite sections of the book, as it gave the much needed context to the issue of web security.
Being very young when the first browser wars started (1995ish), I have never understood why it mattered for web security…. Understanding the Wild Wild West-esqueness of those early days, and how each browser tried to one-up each other on web features, brings much clarity to why the security landscape of the web is so pockmarked with half-forgotten/half-thought out features that can be exploited for much gain.
Zalewski then moves from history to an anatomy of the web, picking apart the very structure of the web: URLs, HTTP, HTML, CSS, Scripting, etc… This is great reference material for a theoretical and practical understanding of what makes up the web from a technical standpoint–Zalewski continually points out differences in how different browsers implement specific features.
The rest of the book delves into web and browser-specific security issues, starting with a great treatise on one of the foundational security principles of the Web, Same-Origin Policy.
I will most likely be writing a couple other blog posts on some of the specific security issues that are dealt with here.
The book finishes with some time dedicated to looking forward to future security mechanisms that are on the horizon, along with the pros and cons of them.
All in all, a fantastic book on the current state of affairs for web security, and one which I cannot help but classify as 5 stars.
A couple closing thoughts:
-The security engineering cheat sheets at the end of each chapter is a great way to keep it practical…. I am thinking about finding a way to pull all of the cheat sheets together for a small booklet to refer back to.
-This was the first epub book I have read on my iPad, and I throughly enjoyed it…. Thanks to No Starch for providing epubs and not just pdfs!
-Josh
Defensive Depth 