Impressions about Web Security, Privacy & Commerce 2nd Edition Book Authors, Simson Garfinkel and Gene Spafford, Published early 2002 Reviewed by Mason Pokladnik – September 2008 Parts of the book are excellent and have survived the last 6 ½ years remarkably well, especially considering how rapidly information technology changes. Unfortunately, other parts of the book are starting to show their age. At times, the book is prescient (the authors understood quite well the potential for mobile malicious code); and it reminds us of the mistakes we continue to make (not encrypting data at rest, “DNSSEC should be deployed as rapidly as possible.”1) On the other hand, it is sadly out of date when it talks about how there has been “surprisingly little traffic in stolen financial information.”2 This book is no longer a comprehensive overview of the issues relating to web application security, so it should be supplemented with more current publications or training. I seriously doubt one book will ever again be able to fully cover the administrative, software development and political issues involved in running a web-based application, especially one that is exposed to the Internet. Quite often, a topic that is a single chapter in this book is now the subject of one or more entire books. There is a benefit to covering this diverse set of topics in one place. We can learn a great deal about a holistic approach to security from this book. Therefore, for the remainder of this review, I will attempt to separate out the parts of the book that are still relevant, the parts readers looking for information about running a web-based application should avoid, and some areas in which I found the book deficient due to advances in attacks and countermeasures since it was published. The Good There are a few areas where this book shines especially bright. Chapter 14, Physical Security for Servers, is the best treatment of the subject I have ever read. It is a concise survey of a broad range of physical threats. There is not quite enough detail to help you build a data center, but it is far more than most IT departments check on a regular basis. If the recent Verizon Data Breach Report has you scrambling to inventory your data and setup some metrics, just remember most of the companies that have suffered a data breach are still in business. Fires and floods have killed far more companies than hackers. Discussions on encryption are liberally sprinkled throughout the book, as well as 5 chapters dedicated to an introduction to cryptography and PKI, and an appendix on SSL/TLS. Unless you plan to continue your studies with Bruce Schneier’s Applied Cryptography, the information in the book is more than you will need to secure a classic web application’s data in transit. The authors also point out cryptography can be used in creative ways, such as storing billing information so that it cannot be accessed by the application – or people attacking it – as well as protecting state information sent to a web browser so 1 Chapter 20 2 Introduction Mason Pokladnik August 2, 2008 that it cannot be altered without detection. While their desire to protect user’s privacy is admirable, the majority of applications track state using session identifiers and intentionally collect information on user’s use of their site. If I were to summarize one of the unstated themes of the book, the authors appear to think that encryption and UNIX-like operating systems are the best things to ever happen to computing. As the book is over 6 years old now, there is unfortunately no coverage of web services and their related security topics. Otherwise, I’m sure they would have taken the opportunity to extol the virtues of standards like XML encryption and XML signature. Another theme in the book, which I really enjoyed, was the author’s expansive coverage of security threats. Chapters on physical security, host security, privacy, data security and one lonely chapter on application security, remind us that there is still a lot more to running a service than just stopping SQL injection and cross site scripting (XSS) attacks. If the bad guys can brute force your root password through SSH, they still win. There are other useful tidbits of information scattered throughout the book including two chapters on the dangers presented by mobile code that are more relevant now than when they were first written. I don’t think that I can give them much credit for the prediction that the Internet would be a “growth area for crime,”3 but their approach to security is very forward looking and has stood up well in the intervening years. The Bad If chapter 2 in the book is your introduction to IP networks, you’re in trouble. It starts out rather tame with a description of a host and network, and then proceeds to introduce the analogy that packets are like postcards. From there, you start looking at the output from Tcpdump. Eventually, there is some discussion of the need to have redundant Internet connections, but it is repeated elsewhere in the book. If you are already comfortable with networking, you can just skip this chapter. My vote for the prediction/statement in the book that best illustrates the changes in threats since the book was published: “few losses to date are attributable to any browser flaws.”4 Oops. The authors clearly understood the potential for mobile code, but I don’t think anyone could have predicted the onslaught of attacks brought on by combination of ActiveX, JavaScript, SQL injection, XSS and other technologies. Second best: there really isn’t any need for anti-virus software on the Macintosh or OS/X platforms. Entire sections of the book that discuss configuring Netscape 6 and older versions of Internet Explorer have not stood the test of time well. While Internet Explorer has not radically changed, Netscape has obviously been superseded by Mozilla and then Firefox. 3 Pg 403 4 Pg 9 Mason Pokladnik August 2, 2008 The Ugly The book has one section – in the host security chapter - addressing security tools that should immediately be expunged from the copy of any reader who already doesn’t know any better. Unfortunately, that includes many managers. Many of the recommended tools, such as SATAN and the Tiger security checks script from Texas A&M University, will not enhance a manager’s credibility with the security staff, so please skip that section unless you are feeling nostalgic. Random side note: The last time I used Tiger – in 1998 – it was no longer being updated by the A&M network group. However, a little research shows it has been picked up and somewhat maintained by another organization. Still, there are better tools, such as Bastille and Nessus available today. There are some other sections of the book that, while not inaccurate in 2002, somewhat misstate the current threat environment. Examples include the rising tide of SPAM (which can easily be outsourced now), a relatively “new” threat called Phishing and a constant undertone that Microsoft’s products are less secure than their UNIX-like competition. I find it particularly worrisome when they recommend configuring IIS for basic authentication instead of pointing out that within an organization – many of which run Windows – integrated authentication provides a superior end user experience (single sign on) and more secure authentication scheme (hash-based challenge/response instead of a base-64 encoded username and password) than what was available in Apache at the time without a PKI infrastructure. Finally, there is the lack of coverage of the last 6 years of technology. The most glaring absence is felt in the lack of any discussion of web services and their related building blocks such as the .Net framework. While PHP and Java are discussed, they are treated more like novelties instead of the infrastructure on top of which today’s web applications are built. There are some discussions on application security – including the briefest mention of topics like SQL injection and session hijacking – but they are inadequate coverage of the threats faced by a modern application. Summary The book contains a lot of great information. Before reading chapter 8, I had never really considered the information that we all give out in the referer [sic] headers of our web browsers. I have since modified my configuration in Firefox to disable sending them. There are enough useful tidbits like that, in addition to the physical security chapter, that make this book worth reading for a lot of people, especially if they skipped some parts that were a little out of date. The short version is, this book should not be a person’s only source of information on web application security. Readers must find an additional, recent work on the subject to acquaint you with WSDL, XPath, JSON and PCI, as well as a hundred other acronyms and input validation issues that did not exist when this book was published. Web Security, Privacy & Commerce 2nd Edition covers many topics unlikely to be addressed in a modern “Web application security book.” Some authors just assume that these issues are understood and mitigated. If the reader has never configured a web server – or worse yet has configured one insecurely – then this book has a considerable amount of security wisdom to offer. Mason Pokladnik August 2, 2008