Impressions about Web Security, Privacy & Commerce 2nd Edition
Book Authors, Simson Garfinkel and Gene Spafford, Published early 2002
Reviewed by Mason Pokladnik – September 2008
Parts of the book are excellent and have survived the last 6 ½ years remarkably well, especially
considering how rapidly information technology changes. Unfortunately, other parts of the book are
starting to show their age. At times, the book is prescient (the authors understood quite well the
potential for mobile malicious code); and it reminds us of the mistakes we continue to make (not
encrypting data at rest, “DNSSEC should be deployed as rapidly as possible.”1) On the other hand, it is
sadly out of date when it talks about how there has been “surprisingly little traffic in stolen financial
information.”2 This book is no longer a comprehensive overview of the issues relating to web application
security, so it should be supplemented with more current publications or training.
I seriously doubt one book will ever again be able to fully cover the administrative, software
development and political issues involved in running a web-based application, especially one that is
exposed to the Internet. Quite often, a topic that is a single chapter in this book is now the subject of
one or more entire books.
There is a benefit to covering this diverse set of topics in one place. We can learn a great deal about a
holistic approach to security from this book. Therefore, for the remainder of this review, I will attempt
to separate out the parts of the book that are still relevant, the parts readers looking for information
about running a web-based application should avoid, and some areas in which I found the book deficient
due to advances in attacks and countermeasures since it was published.
The Good
There are a few areas where this book shines especially bright. Chapter 14, Physical Security for Servers,
is the best treatment of the subject I have ever read. It is a concise survey of a broad range of physical
threats. There is not quite enough detail to help you build a data center, but it is far more than most IT
departments check on a regular basis. If the recent Verizon Data Breach Report has you scrambling to
inventory your data and setup some metrics, just remember most of the companies that have suffered a
data breach are still in business. Fires and floods have killed far more companies than hackers.
Discussions on encryption are liberally sprinkled throughout the book, as well as 5 chapters dedicated to
an introduction to cryptography and PKI, and an appendix on SSL/TLS. Unless you plan to continue your
studies with Bruce Schneier’s Applied Cryptography, the information in the book is more than you will
need to secure a classic web application’s data in transit. The authors also point out cryptography can
be used in creative ways, such as storing billing information so that it cannot be accessed by the
application – or people attacking it – as well as protecting state information sent to a web browser so
1
Chapter 20
2
Introduction
Mason Pokladnik
August 2, 2008
that it cannot be altered without detection. While their desire to protect user’s privacy is admirable, the
majority of applications track state using session identifiers and intentionally collect information on
user’s use of their site. If I were to summarize one of the unstated themes of the book, the authors
appear to think that encryption and UNIX-like operating systems are the best things to ever happen to
computing.
As the book is over 6 years old now, there is unfortunately no coverage of web services and their related
security topics. Otherwise, I’m sure they would have taken the opportunity to extol the virtues of
standards like XML encryption and XML signature.
Another theme in the book, which I really enjoyed, was the author’s expansive coverage of security
threats. Chapters on physical security, host security, privacy, data security and one lonely chapter on
application security, remind us that there is still a lot more to running a service than just stopping SQL
injection and cross site scripting (XSS) attacks. If the bad guys can brute force your root password
through SSH, they still win.
There are other useful tidbits of information scattered throughout the book including two chapters on
the dangers presented by mobile code that are more relevant now than when they were first written. I
don’t think that I can give them much credit for the prediction that the Internet would be a “growth area
for crime,”3 but their approach to security is very forward looking and has stood up well in the
intervening years.
The Bad
If chapter 2 in the book is your introduction to IP networks, you’re in trouble. It starts out rather tame
with a description of a host and network, and then proceeds to introduce the analogy that packets are
like postcards. From there, you start looking at the output from Tcpdump. Eventually, there is some
discussion of the need to have redundant Internet connections, but it is repeated elsewhere in the book.
If you are already comfortable with networking, you can just skip this chapter.
My vote for the prediction/statement in the book that best illustrates the changes in threats since the
book was published: “few losses to date are attributable to any browser flaws.”4 Oops. The authors
clearly understood the potential for mobile code, but I don’t think anyone could have predicted the
onslaught of attacks brought on by combination of ActiveX, JavaScript, SQL injection, XSS and other
technologies. Second best: there really isn’t any need for anti-virus software on the Macintosh or OS/X
platforms.
Entire sections of the book that discuss configuring Netscape 6 and older versions of Internet Explorer
have not stood the test of time well. While Internet Explorer has not radically changed, Netscape has
obviously been superseded by Mozilla and then Firefox.
3
Pg 403
4
Pg 9
Mason Pokladnik
August 2, 2008
The Ugly
The book has one section – in the host security chapter - addressing security tools that should
immediately be expunged from the copy of any reader who already doesn’t know any better.
Unfortunately, that includes many managers. Many of the recommended tools, such as SATAN and the
Tiger security checks script from Texas A&M University, will not enhance a manager’s credibility with the
security staff, so please skip that section unless you are feeling nostalgic. Random side note: The last
time I used Tiger – in 1998 – it was no longer being updated by the A&M network group. However, a
little research shows it has been picked up and somewhat maintained by another organization. Still,
there are better tools, such as Bastille and Nessus available today.
There are some other sections of the book that, while not inaccurate in 2002, somewhat misstate the
current threat environment. Examples include the rising tide of SPAM (which can easily be outsourced
now), a relatively “new” threat called Phishing and a constant undertone that Microsoft’s products are
less secure than their UNIX-like competition. I find it particularly worrisome when they recommend
configuring IIS for basic authentication instead of pointing out that within an organization – many of
which run Windows – integrated authentication provides a superior end user experience (single sign on)
and more secure authentication scheme (hash-based challenge/response instead of a base-64 encoded
username and password) than what was available in Apache at the time without a PKI infrastructure.
Finally, there is the lack of coverage of the last 6 years of technology. The most glaring absence is felt in
the lack of any discussion of web services and their related building blocks such as the .Net framework.
While PHP and Java are discussed, they are treated more like novelties instead of the infrastructure on
top of which today’s web applications are built. There are some discussions on application security –
including the briefest mention of topics like SQL injection and session hijacking – but they are
inadequate coverage of the threats faced by a modern application.
Summary
The book contains a lot of great information. Before reading chapter 8, I had never really considered the
information that we all give out in the referer [sic] headers of our web browsers. I have since modified
my configuration in Firefox to disable sending them. There are enough useful tidbits like that, in
addition to the physical security chapter, that make this book worth reading for a lot of people,
especially if they skipped some parts that were a little out of date. The short version is, this book should
not be a person’s only source of information on web application security. Readers must find an
additional, recent work on the subject to acquaint you with WSDL, XPath, JSON and PCI, as well as a
hundred other acronyms and input validation issues that did not exist when this book was published.
Web Security, Privacy & Commerce 2nd Edition covers many topics unlikely to be addressed in a modern
“Web application security book.” Some authors just assume that these issues are understood and
mitigated. If the reader has never configured a web server – or worse yet has configured one insecurely
– then this book has a considerable amount of security wisdom to offer.
Mason Pokladnik
August 2, 2008