Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Security Books Media Book Reviews

Web Security, Privacy and Commerce 68

Slashdot reader rw2 (aka Rich Wellner) writes: "I was excited about this book because rarely does one come out that so directly applies to what I do day to day. I work at a national research lab, help out at a web hosting facility and run poliglut in my spare time. So, I'm used to dealing with the cleanup that occurs after a successful attack." The book is O'Reilly's updated Web Security, Privacy and Commerce. Read on for more of Rich's take on it.
Web Security, Privacy and Commerce
author Simson Garfinkel, Gene Spafford (Contributor), Debby Russell
pages 800
publisher O'Reillly & Associates
rating 10
reviewer rw2
ISBN 0596000456
summary A needed update to a reliable classic by well respected security experts.

My single biggest problem is typically that, while highly technical , I don't do security as a full time job. Reading the literature needed to become really expert just isn't in the cards. It's enough to keep up with Java, Python, C++ and grid computing stuff. Even though there is substantial overlap between grids and security, much of grid thought is separate from the implementations that are dealt with in this book. Besides, my group does large-scale data storage. We leave the security infrastructure to specialists.

Garfinkel's book is great for a guy like me. They take every subject from a level that is trivial to understand down to as much detail as you need. Even in areas that I understand pretty well, I found this book taught me new stuff. For example, in their section dealing with the history of browsers I had a handful of false memories corrected, despite having been around for longer than the web.

They've broken the book down into four sections, Web Technology, Privacy and Security for Users, Web Server Security and Security for Content Providers.

Web Technology

This section deals with the pieces that all the other sections depend on. Particularly interesting are the parts about the different kinds of cryptographic systems. They talk about symmetric and public key systems and message digest functions. These building blocks are then put to use in chapters on SSL/TLS and digital identification. This section also gives a brief history of the web and how it was assembled.

Privacy and Security for Users

These chapters are split between mobile code, Java, ActiveX, Flash and such and all other safety/privacy issues. In the chapter on backups, the authors tell an amusing story about backups that were being done by someone who hadn't been properly trained. She would start the job, then go and read a book. The backup would throw errors, but when the session timed out the errors were lost and the screen looked like a normal termination when she returned. This apparently went on for quite some time before being caught. So check your backups, kids!

This sections also has an interesting chapter on email privacy and a couple different services/methods for using encryption to secure your mail and, better yet, send email that cannot be read after a certain date.

Web Server Security

Every sysad in the business should make sure to read this section, which starts out talking about physical security (because if you don't have that the rest may not matter), and continues all the way down to deploying certificates.

Security for Content Providers

Finally, the book finishes up with a few chapters that are mostly about the legalities of running a site. This combines client authentication with privacy policies, digital payments and intellectual property into a good if less technical ending.

Overall

One interesting aspect of the authors' overall approach is that they are so platform neutral. I didn't expect this from a team that wrote books on Unix security, but they have chapters on ActiveX issues and it isn't dealt with in the flip manner that Unix people often use toward other OSes. Even their screen shots are in Windows. You definitely get the feeling these guys know there stuff from more than one perspective.

We happen to be talking a lot about public key infrastructures at work lately, and the chapters on digital certificates were quite handy in getting up to speed on the different issues. As with other sections, they deal not only with the bit twiddling involved but also with history and policy. The human issues. Very useful stuff about an area that not many think about and about which the existing writing is fairly opaque.

So, if you're needing to learn more about this subject I can't think of another book I would recommend before it. I've been motivated enough to write a review on it, and for most of us that's probably a ringing endorsement by itself!


You can purchase Web Security, Privacy and Commerce at Fatbrain.

This discussion has been archived. No new comments can be posted.

Web Security, Privacy and Commerce

Comments Filter:
  • as amazing and helpful as these books are, and other great online resources not to mention, a majority of sys admins don't apply what they've learned on their servers... at the last company I worked for... our department specifically hired a "security" guy... of course he was just a guy who just got his MCSE 2000 :-P but that's another thing... the thing is, the guy knew squat.. in the time we hired this guy, till the company i worked for went out of business... 2 servers in the company got hacked (NT boxes.. nothing special).. he did nothing about it... maybe it was just where i worked.. but it's just sad how anyone can just get some sort of a certificate and automatically classify them as a "sys admin" or something ridiculous like that

    *sigh* just my 2 cents as always ;-)

    MCSE = Microsoft Certified Solitaire Expert
    • Maybe instead of flaming an obviously standardized course known to produce a lot of windows admins, most of who know only what the book says and nothing more, you should flame those in charge of hiring at your company, for choosing someone from that course rather than someone with proven experience?

      I'm all up for microsoft bashing in some situations. Bitching about security caused by poor admins is not one of them. Fix the admins, by not hiring the bad ones, and maybe they'll realize that if none of the brand new MCSE's can get a job, there's something wrong with the course.
    • I like this better:

      MCSE = Must Call Someone Experienced
  • dynamic-ness (Score:4, Insightful)

    by kresmoi ( 542683 ) <kresmoi@@@gmx...net> on Thursday December 20, 2001 @11:25AM (#2732382)
    problem is, how often are you going to have to buy the update to the book to stay on top of things, and how far behind 'the scene' is the book already by the time it's published? I would think the dynamic nature of these things would make books on web security a trifle behind the times and impractical, kind of like a dictionary of street slang: It'll get the general stuff right, but the details and inflection are always changing, and the world's in the details.

    However, this ringing review would indicate otherwise. please enlighten?
    • If you are not a security guru and know some things about security, you need to know a good primary source for information. The book's data may get dated very quickly but the data sources you derive from the book will be current. Some books are good for the data others are good for directing you to a current reference. Having an author do 90% of the leg work and sorting of trash sources from golden ones is important.
  • by CatherineCornelius ( 543166 ) <tonysidaway@gmail.com> on Thursday December 20, 2001 @11:25AM (#2732383) Journal
    What that review doesn't tell me is whether the book addresses security as a software issue. Many system exploits can be traced to specific programming practices, often to kernel level, but more often in userspace code. The above review tells me it's that kind of book I might take a look at, but I'm left wondering if perhaps the book that would give me an insight into how to produce more secure system configurations and help my team to write more secure code has not yet been written.

    As a senior web and database developer, I'm probably more likely to check into security mailing lists and watch out for advisories about the core products of my service delivery systems (whether PHP, JSP, Vignette, Apache, IAS, or whatever). Still, any book that raises awareness of security issues and introduces key concepts in an easy to understand manner is to be applauded.

  • While this obviously is important, still we can see plenty of people with their eyes glazing over, even as we type.

    Of course, that is likely why most folks will need this, and why many sites are deficient on security. You need to be fairly expert to run a secure site, and this is an area where alot of folks sorta fall down.


    • still we can see plenty of people with their eyes glazing over, even as we type.

      There are a lot of analogies between doing proper computer security and life in the Army.

      Mind numbing bureaucracy, paperwork, jargon, 98% of the time you are bored stiff, and, then, 2% of the time is pure terror.

  • by Junks Jerzey ( 54586 ) on Thursday December 20, 2001 @11:29AM (#2732403)
    You definitely get the feeling these guys know there stuff from more than one perspective.

    Grammar aside, that's a good recommendation for the book. I'm getting tired of all the dismissals of anything Windows with flippant, often incorrect, remarks. (For example, it seems that many Slashdotters don't realize that Windows XP is based on Windows NT, not Windows 95.) When you expand your horizons, you expand your knowledge. And as a bonus it makes you less bitter.
    • Although I know what XP is based off of, I am still capable to being very bitter.
      • perhaps you should hire a therapist to look into it .....

        1. Are you jealous because microsoft makes more money than you do?
        2. Are you mad that the microsoft code is more functional than anything you'll ever write?
        3. Are you upset because microsoft wouldnt hire you?
        4. Are you still mad because win95 crashed once and lost your homework and you'll forever curse the windows of the past rather than looking at the current incarnation, forever insisting that microsoft sux0rs?


        I've seen it said, a few times, that linux is for those who hate microsoft, while bsd is for those who love unix. The more anti-microsoft posts I see on this site, the more I'm convinced that this saying is absolutely true.
        • Perhaps you should get out more often. The point was simply that people, including myself, can find plenty of things to be bitter about that origins of some silly program. Maybe you can discuss your need to jump to conclusions in your next therapy session.
  • ...to buy such a book at all ?
    The information in there would be outdated in a couple of months, and the new version would be aviable in some years.
    You can get decent security information on the net why even brother to buy a book ?
    (Ha, you can even get the tools to test your security on the net...just ask some script kiddie)
  • I'm definitely going to check this one out, as I'm something of a security freak. I'm currently reading "Security Engineering" by Ross Anderson (Wiley) and while the author has an obvious bias in favor of Windows, it is a great look at designing security for distributed systems.
  • by TheViffer ( 128272 ) on Thursday December 20, 2001 @11:35AM (#2732433)
    Garfinkel's book is great for a guy like me. They take every subject from a level that is trivial to understand down to as much detail as you need.

    One interesting aspect of the authors' overall approach is that they are so platform neutral. I didn't expect this from a team that wrote books on Unix

    I believe there is only so much that this book (which I have not seen yet) can cover. If there were "levels" of detail regarding a book, this sounds like it covers the first three, and leave the bottom two to that of the reader to explore furthor.

    As for being "platform neutral", it should be. The "web" was never designed to be used for a particular OS or browser (though Microsoft would like to believe otherwise [cnet.com]).

    The book covers "web" issues and not OS issues.
  • when discussing hacking what's important is the target resource. This is the data / resources that you intend to acquire.
    methods change of protecting data common exploits
    change.
    The data to go after is always research data as it's most valuable. prime targets are small players researching 'edge' technology that will get to market b 4 the big boys.
    the big boys will pay a lotta dosh for that kind of info.
    remember as well that all fortune 500 companies are always monitoring each other some ways legal
    i.e what colour is the smoke coming out of your factory what trucks are delivering where are the company execs travelling to etc. seems like small things but i promise you it's done all the time.
    • talking weird grammar you are, yes.
      ancient wizard, you?
      Jedi mind tricking your way past security, yes.
  • I took one quick look at the first author's name and thought it said:

    "Simon & Garfunkel"

    -bigginal
  • I like Garfinkel's writing style. His
    O'Reilly manual on PGP [amazon.com] was very approachable and useful. I'm looking forward to this book.
    • Re:Simpson Garfinkel (Score:3, Informative)

      by Brummund ( 447393 )
      Also, the slightly (ahem) outdated Practical Unix & Internet Security [oreilly.com] is also recommended. A good walk-through of all things related to security, from social hacking to securing NFS. It's a bit outdated, but it will give you a good start on security basics.

      (And as always with books from Garfinkel, a good and fun read)

  • by tagplazen ( 310628 ) on Thursday December 20, 2001 @12:02PM (#2732552) Homepage
    ..remove the words "Well, it's okay because that box is sitting behind our firewall" from everybodys lexicon.

    The point was raised above about how out of date this book would be by the time it was released. I honestly don't believe that's as big of an issue as people seem to think, 99% of the battle with keeping our networks secure is just getting people to consider the issue in the first place. Any book I can throw at our apps developers that gets them even thinking about the broad issues is a good thing, because once the seed is planted, then they come over and ask us what we would reccomend as they're working on their apps. Over the past six months we've seen the 'Ooops, you mean that travel site with the form for people to put their CC number in should be SSL'd?' to almost daily informal meetings about what they're doing and how we can support them.

    Our biggest nightmare has been the sysadmins. The NT sysadmin refuses to apply any patches, 'because then things break', and won't close a single port, 'if you want features, you have to leave things open'. Lots of guerilla midnight work going on behind that boy. ;-)

    Our solaris sysadmin is no better, if you could take the words 'Well, back at Siemans..' out of his vocabulary, he wouldn't have anything to say. Yet, he's very good at the above mentioned meetings for arguing that we're too paranoid, 'Only a very skilled attacker could sniff passwords of our switched network,' and this after multiple times of showing him dsniff and ettercap in action, complete with grabbing his passwords several times. Once again, lots of midnight cowboy fixes behind the back.

    There's a really good book out, Building Secure Software [buildingse...ftware.com] where he brings out some very good points. The best one being that security is put on networkings shoulders, when the real problem is that the developers don't build their applications with security in mind. Therefore, the strategy is to deny attackers access to the errors in the code, when the best practice would be to remove those errors in the first place. That and the quote about ecrypting information in transit is like a guy living on the sidewalk using an armored car to send his credit card information to a man living on the beach in a cardboard box is simply priceless.
  • by Anonymous Coward
    Our car-manufacturing company has developed a new revolutionary business model for making cars.

    We give away the cars for free and then we sell services for those cars! If you want to we can clean your car, wax it or you can use some of our other services.

    We get cash from a couple of VC's, the rest of them simple don't "get it". If we need more we just call "the suits".
  • by mencik ( 516959 ) <steve@mencik.com> on Thursday December 20, 2001 @12:38PM (#2732697) Homepage
    I received an advance copy of this book from Simson. I agree that it is a very good book. However there is one topic that was not discussed. I've emailed Simson about this and if another revision is done, they will include more info on it.

    The topic left out is the issue of third-party servers. Many companies, particularly small business, use third party hosting. As such, the SSL provided for their form submission process only protects the information from the client computer (the consumer) to the web server (at the third party location). It does nothing to protect how that information gets from that third-party server back to the company. You would be surprised how many companies simply take that sensitive information (credit card numbers, etc.) and package it into an email message and send it to the company via plaintext email. Not very secure.

    I wrote a paper on this subject in 1999 which is still posted at http://jsweb.net/paper.htm [jsweb.net] entitled "Are Secure Internet Transactions Really Secure?" I encourage you to take a look at it to learn more about how many companies are only providing a false sense of security, and not really protecting your information as it transits the Internet.
    • Social hacking. "Hey yeah, this is uh, Joe from finance. What's the password to log into the database again? Thanks." No use building million dollar impregnable walls if the gatekeeper waves the invading hordes right on through....

      I agree that SSL does give a false sense of security, especially with credit card numbers. Truly private info like credit card numbers should always be stored in ecrypted form, not just transmitted in encrypted form. I'm amazed especially at stories of dot-coms where a hacker managed to penetrate a database and then have access to a million credit cards. Ridiculous. You can keep 9 out of 10 hackers out with good external security. Out of the ones that get thru, the 1 in 100 who could deal with and decrypt the card numbers in the database will probably decide it's not worthwhile and go steal them from someone less cautious.
    • This definately needs to be covered. I did some (unrelated) work for a small local business who was assuring their internet customers that credit card transactions with their site were "100% secure". Which, basically, they were...until the transaction with the web server was over, and a script -- provided by the ISP, no less -- fired off an email to their POP3 account with all the credit card details.

      And don't even get me started about their pathetic passwords.
    • Kind of related to this is overall security for those remote servers. If you have a site that you depend on (say a service provider hosting a shopping cart because you lack the infrastructure to do it yourself) and it's security sucks then you expose yourself to all kinds of heartache. I'm aware of a site with an outsourced e-commerce section (thankfully no account information, simply an online store) that had that e-commerce section go away when the service provider's server got Nimda.
  • by gordguide ( 307383 ) on Thursday December 20, 2001 @01:08PM (#2732867)
    "The book will be outdated in (insert your favorite timetable here)" should all be moderated as obvious. I mean, really, there are people out there trying to make sex itself outdated sometime in the future, but I live in the here and now. What this or any well-written book does is it gives us an understanding of the issues and a foundation for future learning. Read it and forget it is no more a stragegy than not reading it at all.

    If it is a good read that makes the complicated less intimidating, I would consider it an excellent foundation for those who aren't up on the issues but want to get started.

C for yourself.

Working...