The Tangled Web
An essential read for anyone interested in web security. This book covers many different web technologies and how security issues arise from how they interact - something that I haven't seen covered like this in any other book.
My Rating: 
Pros
- Covers a wide range of web technologies and looks at security issues not only with respect to each in isolation but also issues relating to how they interact.
- Very up to date. This book looks not only at what exists right now with respect to web servers and web browsers, it also looks at a lot of what is currently being proposed that may or may not be implemented.
- Covers both Apache and IIS web servers as well as Internet Explorer, Firefox, Google Chrome, Safari and Opera web browsers.
- Looks at the different versions of the various browsers and how certain older versions (particularly IE6) have many security holes that have been patched in more modern browsers.
- Considers the different technologies implemented in different browsers including where they conflict.
- A practical guide - where possible the author provides solutions to the various security issues that have not yet been fully patched by the browsers.
Cons
- On page 84 the author states that "the rational behind is difficult to grasp" with respect to being able to include HTML using the object tag - my understanding is that frames are deprecated and that the object tag is the standard way it is supposed to be done.
- Page 230 starts with the comment "The practicality of this zone seems unclear" with respect to Internet Explorer's "Restricted Sites" zone - this zone is actually used by Outlook and Outlook Express with respect to processing of emails. This means that it does serve a practical purpose as Microsoft's Internet Zones are used for all internet related access, not just the web. I do agree that it has little use with respect to web access though.
Description
- First Edition: 2012
- 299 page paperback
- Published by No Starch press Inc
- ISBN: 978-1-59327-388-00
- A guide to securing modern web applications
- Author Michael Zalewski
Review
This book provides many examples of badly constructed HTML, CSS, JavaScript etc. If the book were about how to write any of those languages then those would have to be examples of what not to do. The book isn't about any of those topics though, it is about security and the examples clearly demonstrate how some badly constructed code can create security issues.
Much of what the book covers relates to aspects of the web that have been developed piecemeal over many years and so the author logically starts at the beginning and describes how the various technologies have been developed from the start. The book looks into what the purpose of each technology was, its benefits, its shortcomings, and most importantly how it interacts with the various other web technologies - often in unexpected ways.
While I thought that I new all about a lot of the areas that this book covers, in just about every section the author went beyond what I knew to discuss aspects of the technology that I had never considered. This is definitely a book that I will need to reread.
On a final note, you'll notice that the cons I list for the book are not really about anything wrong with the book itself but are rather two instances where the author states that there appears to be no reason for something where I believe that I know what the reason is.
More Information from the Publisher
