Saturday, May 11, 2013
The Tangled Web: A Guide to Securing Modern Web Applications 1st edition, Michal Zalewski
This book is totally awesome. And it's on my top shelf right now.
Sure, the book is aimed at security engineers. I bought it because I was starting a new security-related project and wanted to upgrade my knowledge. Reading this book once gave me the confidence that I know a fair deal about the browser security landscape and can now hold my own. But this is a book that deserves to be read multiple times.
At one level, the author's deep insights into how the web works and how browsers operate benefit all of us, since we all use browsers to access the web (and hope that we're doing so in a secure fashion).
This book is especially useful for web developers in general who struggle to figure out why a feature works on one browser and not on another browser. The one 3-star reviewer who did not get this needs to do a better job of reading between the lines. This is a short (under 300 pages) and subtle book packed with tips and information for the perceptive and experienced developer. Not everything is completely spelled out.
For me, the heartfelt epilogue was in itself worth the price of the book (a fancy lunch for two).
In general, I thought this book was good. It covers a lot of material, and has nice "cheat sheets" at the end of each chapter.
The reason I give the book 3 stars, however, is that the author is suffering from the curs of knowledge (or perhaps I am suffering from the curse of ignorance). While he gives some background information on how browsers work, html works, etc in the first part of the book, I did not find that it was enough to really understand the consequences of some of the vulnerabilities that he mentions. Often I was left wondering how the issue he raises is actually an issue, or how someone would exploit it.
As a web developer, knowing how someone might exploit the security holes allows me to figure out how to close down those holes and make my web application more secure.
Also, the book seems to be focused on what browser developers should be doing in order to close down these issues, and not what web developers should be doing.
I've been interested in IT security for a long time, but obviously even more so since I started working professionally in this area. Since web applications have become ubiquitous in recent years, they constitute a big part of our penetration testing work. This is a very broad topic, so The Tangled Web: A Guide to Securing Modern Web Applications by Michal Zalewski is an ambitious project.
The first thing I noticed was that the book is comparatively thin. At around 300 pages it's only about one third of The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws. Don't let that fool you though, this book is not a lightweight by any means. It's logically structured in three parts, the first of which explores the various components that constitute the web as we know it today (URLs, HTTP, HTML, CSS etc.) and their security implications. This is followed by a look at the security features -- and their shortcomings -- of current browsers. After this part 3 deals with current developments and the future of browser and web application security. This is rounded off by a list of common security problems including references to the chapters of the book that cover them, as well as an epilogue with a surprisingly philosophical outlook on IT security and trust in human societies.
The writing was clear and to the point, with tons of footnotes and references to provide the interested reader with the chance to further research the presented topics. The author clearly knows what he's talking about and manages to present it in a very approachable way. Due to it's limited size the book still has to be a bit dense though, so I never really felt like reading more than one chapter at a time, otherwise it'd have been to much information to take in at once.
Whether you work in IT security or are a web application developer, this definitely is a book you don't want to miss.
"Gaining insights into the underlying mechanics of web applications is far more important that memorizing several thousand random and often unnecessary terms."
That one sentence sums up why "The Tangled Web" is, hands down, the best book on web and browser security. It is all too easy to criticize, lament, and create paranoid scenarios about the "unsound security foundations" of the web. Truth is, all of that criticism is true, and yet the web has proven to be an incredibly robust platform. In this book Michal Zalewski walks us through the history and the evolution of the architecture of the popular browsers, servers, protocols, and everything in between - as it relates security of modern web applications.
Instead of focusing on the usual security acronyms and "attack classes", this book will give you something much more powerful: a bottom up understanding of how a modern browser operates, why it does what it does, and what implications this has for designing more secure applications. This book should be mandatory reading for every web-developer. Highly recommend it.
Introduction
I liked the book, the book is thorough, on tough subject. What I missed is a more practical approach of the secure web, almost all web developers are also intrigued by hackers. to my opinion hacking itself should make developers understanding the holes of the web more easily. I really would liked some more practical examples of websites and how to brake them.
The book is handy for reference ( although the internet is might be more useful ). I expected to learn some fundamentals to cope with security issues in the daily live of webdeveloping. That after reading the book and messing around with some code examples my awareness for possible security flaws would be raised.
Security Awareness
The untangled web partially raised my awareness. Since i read the book i am more aware of the possibility of security issues in many layers of the web, plugins, java applets and other stuff that lives on the internet. What I missed was a more practical approach. For example the book could start with a simple php site implementation. This should be of no concern for the average reader of this book. With the example site created the book could have show ways how to hack the site. I know this might not be the most ethical methodology, but for me it would the way to stick all the information about security issues and how to prevent them.
Conclusion
There is a lot to be said about web security, much more than i would have known. I hope i have raised my own awareness regarding security to implement it in my daily job. However i will have a hard time selling the extra time in advance to clients.
I must compliment the author for writing this reference book about security issues on the internet. It is easy to see that a lot of research has gone into this book. Bottom line this isn't a fun developing book but it will certainly improve your quality as a developer.
Disclaimer I did receive an ebook copy from Oreilly for reviewing purpose
The Tangled Web is mostly about web technologies and how insecure they are by nature. The book is a very engaging narrative, full of details and impressive war stories. It focuses on the practical issues of web technologies and not on the theory of security. The book can be very useful for web developers and those interested in security. For example, at the end of each chapter we can find a "Security Engineering Cheat Sheet", which presents us a summary of things to consider/do. These sheets alone make the book worthwhile having. The book is organized in three main parts. In the first one, the author tells us the story of the inception of the web until today and discusses all the important technologies, protocols, etc. The second part focuses on the browser security and the third part on "the things to come". Although the book is not very thick (around 300 pages) it addresses too many important issues to completely absorb them in a single reading.
To conclude, the Tangled Web is a solid book, full of interesting and useful information. For web developers and security experts it should be a must read book. For the rest of us it is an enjoyable reading.
This is a must read for web developers, penetration testers, or anyone else involved with web application security in general. From software architects to programmers to end users, there is something for everyone in this book. By that, I mean that the book (although very technical) starts out with part 1 cover the basics of what makes the Web tick and moves on to address how browsers handle security concerns of the Web, and then up and coming things to be aware of. This would be helpful to most anyone from learning how web servers and browsers interact, to helping in spotting a phishing email via URL manipulation.
I enjoyed the section on browser security features with the discussion of origin rules and content isolation. The code samples throughout the book were excellent and clear, and I look forward to my next social engineering engagement to set up phishing site for a client. Being a former web developer and sysadmin, having this book on my bookshelf as a future reference is a great addition, and also a great deep dive into some topics I should have researched a while ago. The "cheat sheets" at the end of the chapters were very helpful and a good refresher.
Security researchers would definitely benefit from this book as well, as it has greatly increased my browser fuzz lists after reading. Chapter 18, "Common Web Vulnerabilities", is a good one for coworkers and developers as each vulnerability is presented with locations of relevant discussions throughout the book. If a particular application has numerous vulnerabilities of the same type, an in depth explanation of what is involved, what caused it, and how to fix it are readily available.
You will want to set aside time to carefully read this book as it will require much more than one sitting as you will want to test and play with the scenarios described on your own computer. Yet another excellent No Starch Press book!
I have to say, I wasn't quite sure what to expect when I received a review copy, as there seems to be a glut of "Securing Web Apps" books out there, and from what I have seen, not that many great ones. However, Zalewski is well-known within the security industry, so I had higher than normal expectations.
Zalewski starts out with his take on Information Security Management, and this small section probably deserves its own blog post entirely, but suffice to say that Zalewski is a pragmatist in this area--indeed, his 3 principles that he prescribes are:
1) Learning from (preferably other people's) mistakes
2) Developing tools to detect and correct problems
3) Planning to have everything compromised.
Though I would agree with all three, the third principle resonates the strongest with me, as this is one of Richard Bejitlich's favorite things to say, and I have taken it to heart.
With the intro to Information Security out of the way, Zalewski takes the reader through a brief history of the web, and the evolution of the threat. This was one of my favorite sections of the book, as it gave the much needed context to the issue of web security.
Being very young when the first browser wars started (1995ish), I have never understood why it mattered for web security.... Understanding the Wild Wild West-esqueness of those early days, and how each browser tried to one-up each other on web features, brings much clarity to why the security landscape of the web is so pockmarked with half-forgotten/half-thought out features that can be exploited for much gain.
Zalewski then moves from history to an anatomy of the web, picking apart the very structure of the web: URLs, HTTP, HTML, CSS, Scripting, etc... This is great reference material for a theoretical and practical understanding of what makes up the web from a technical standpoint--Zalewski continually points out differences in how different browsers implement specific features.
The rest of the book delves into web and browser-specific security issues, starting with a great treatise on one of the foundational security principles of the Web, Same-Origin Policy.
I will most likely be writing a couple other blog posts on some of the specific security issues that are dealt with here.
The book finishes with some time dedicated to looking forward to future security mechanisms that are on the horizon, along with the pros and cons of them.
All in all, a fantastic book on the current state of affairs for web security, and one which I cannot help but classify as 5 stars.
A couple closing thoughts:
-The security engineering cheat sheets at the end of each chapter is a great way to keep it practical.... I am thinking about finding a way to pull all of the cheat sheets together for a small booklet to refer back to.
-This was the first epub book I have read on my iPad, and I throughly enjoyed it.... Thanks to No Starch for providing epubs and not just pdfs!
Product Details :
Paperback: 320 pages
Publisher: No Starch Press; 1 edition (November 26, 2011)
Language: English
ISBN-10: 1593273886
ISBN-13: 978-1593273880
Product Dimensions: 7.1 x 0.8 x 9.2 inches
More Details about The Tangled Web: A Guide to Securing Modern Web Applications 1st edition
or
Download The Tangled Web: A Guide to Securing Modern Web Applications 1st edition PDF Ebook
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment