The Tangled Web: A Guide to Securing Modern Web Applications : Book of the Week
To help with application security, book of the week is The Tangled Web, a wonderful guide to securing modern web applicaiton.
Selected reviews from Amazon:
The Tangled Web untangles the mystery of some poor design philosophies and also discusses some of the improvements that have been made along the way. A quote from the book that sums it all up is a statement that “…the status quo reflects several rounds of hastily implemented improvements and is a complex mix of browser-specific special cases…”
In this incredibly good and highly technical book, author Michal Zalewski writes that modern web applications are built on a tangled mesh of technologies that have been developed over time and then haphazardly pieced together. Every piece of the web application stack, from HTTP requests to browser-side scripts, comes with important yet subtle security consequences. In the book, Zalewski dissects those subtle security consequences to show what their dangers are, and how developers can take it to heart and write secure code for browsers.
The Tangled Web: A Guide to Securing Modern Web Applications is written in the same style as Zalewski’s last book – Silence on the Wire: A Field Guide to Passive Reconnaissance and Indirect Attacks, which is another highly technical and dense book on the topic. This book tackles the issues surrounding insecure web browsers. Since the browser is the portal of choice for so many users; its inherent secure flaws leaves the user at a significant risk. The book details what developers can do to mitigate those risks.
This book starts out with the observation that while the field of information security seems to be a mature and well-defined discipline, there is not even a rudimentary usable framework for understanding and assessing the security of modern software.
The book provides systematic coverage of browser security. The first 6 pages of chapter 1 provide brilliant insight into why formal security models, risk management and taxonomies fail to deliver promised security improvements to organizations that embrace them. I used to explain the same with a lot of hand weaving, Zalewski’s approach and insight are far superior.
Make no mistake, the book is focused on the browser and related technologies rather than the theory of security. The same tremendous insight, that made me nod with appreciation and wish that I had the book 5 years ago while working on security policies, illuminates browser concepts like in-browser content separation, scripting, and much more.
I appreciate the authors treatment of each of the concepts in the context of the browser as a complex and still evolving technology, with it’s own history, standards, market requirements and politics.
You can visit Web Develover Book Store to get this book and more great handpicked books.