Rating: 
Summary: Web Security, Privacy & Commerce
Review:
The Internet is an unsecured communication system; it was not designed to be inherently secure. A simple act of browsing a Web page on a remote computer can involve sending packets of information to and receiving them from more than a dozen different computers operated by just as many different organizations.
The division of responsibility among multiple organizations make it possible for each of these organizations and more to eavesdrop on your communication or even to disrupt them. There is no privacy once you visit a Website because the Internet explorer stores cookies in a folder in the history directory, these cookies can be very powerful, anyone who can gain access to your cookies can learn information about you.
In today's World Wide Web environment, you must stay abreast of newly discovered vulnerabilities if you wish to maintain a secure computer that is connected to the Internet. The day has long passed when security vulnerabilities were kept quiet. These days vulnerabilities are usually publicized with a breath taking speed once they are discovered. What's more once vulnerability is known exploits are quickly developed and distributed across the Internet. In many cases system administrators only have a few hours between the time that a vulnerability is first publicized and the time when they will start to be attacked with it. Also some flaws exploit protocols you need to allow through your firewall. Despite all the new vulnerabilities been created and discovered, the underlying concept of web security have changed very little and as such this book concentrated on teaching concept and principles rather than specific commands and key strokes its done a good job out of it.
FIREWALLS are thought to improve computer security because they can exercise precise control over what information is passed between two networks. Firewalls do nothing to protect against insider misuse, virus or other internal problems. It only provides the illusion of better security.
A good computing infrastructure will continue to function in the face of adversity, being man made or natural disaster. Building a secure computing environment is requires careful planning and continued vigilance. There is no substitute for vigilance.
A secure server is not a server that implements cryptographic protocols so that data transfer cannot be eavesdropped upon or a Web server that will safeguard any personal information received or collected, not subverting browsers to download viruses or other rogue programs onto user computers.
Simson Garffinkel and Gene Spafford, concludes that a Secure Web Server is one that is resistant to a determined attack over the Internet or from corporate insider.
Generally accepted principles in the computer Security consist of recommendations, procedures and policies that are known as Best Practices.
But even the Best Practices has its own problems, the biggest problem is that there is no really one set of best practices that is applicable to all websites and Web users, the authors of this book recommends a combination of Risk Analysis and Best Practices.
Unfortunately Simson Garfinkel knows that the application of risk analysis to the field of computer networks has been less successful.
It is impossible to calculate the risk that an attacker will be able to obtain System Administrator privileges on your Web Server?
I have never seen a book packed with so much information on Web security as this book I will recommend it to anyone who wants to have a good foundation in Web security, the understanding that I have gained reading this book is unbeliveable.
This book is about Web Security, privacy and commerce the World Wide Web.
Organized into five parts it examines the security policies in use on the Web today and the strategies available to minimize the risk in using the World Wide Web.
Part 1. WEB TECHNOLOGY: -Examines the underlying Technology that makes up today's World Wide Web and how the Internet works in general.
The Architecture of the World Wide Web, Cryptography basics, What Cryptography can't do, Legal Restrictions on Cryptography, Understanding Secure Sockets Layer (SSL) and Transport Layer Security(TSL), What does SSL/TSL Really Protect:- actually it does little to protect against the real attacks that consumer and the merchants have experienced on the Internet. Digital Identification:-{Passwords, Biometrics, Digital Signatures, Digital Certificates, CAs, and Public Key Infrastructure (PKI). Part 2. Privacy and Security for Users,
Understanding Cookies, Privacy Protecting Techniques, Choosing a Good Service Provider, Avoiding Spam and Junk Email, Identity Theft, Privacy-Protecting Techniques, Blocking Ads and Crushing Cookies, Backups and Antitheft, Mobile Code Plug-Ins, ActiveX, and Visual Basic, The Risk of Downloaded Code, Java, JavaScript, Flash, and Shockwave. Part 3. Web Server Security:
Physical Security for Servers, Protecting Computer Hardware, Protecting Your Data, Host Security for Servers, Secure Remote Access and Content Updating, Firewalls and the Web, Securing Web Applications, Deploying SSL Server Certificates, When things go Wrong, Securing Your Web Service, Protecting Your DNS, Computer Crime, Your Legal Options After Break-In. Part 3. Security For Content Providers:
Controlling Access To Your Web Content, Access Control Strategies, Client-Side Digital Certificates, Code signing and Microsoft's Authenticode, Why Code Signing, Pornography, Filtering Software and Censorship, Privacy Policies, Legislation, and P3P, Children Online Privacy Protection Act, Digital Payments, Internet-Base Payment Systems, How to Evaluate Credit Card Payment System,
Intellectual Property and Actionable Content, Copyright, Patent, Trademarks,
Part 5. Appendixes: Lessons From Vineyard.NET, the Platform for Privacy Preferences Projects.
Rating: 
Summary: Right on the mark!
Review: Having spent a dozen years in what used to be called EDP security, but not having concentrated in the area recently, I found that the book was perfect. It avoids belaboring what is now obvious to everyone, and succeeds in covering the whole spectrum of web security issues in a single volume. It is hard to write about the history of monetized plastic (credit, debit, and smart cards) without either going into great detail or sounding like there is a great new world dawning, but Garfinkel and Spafford tread that narrow line. Similarly, the nuances of PKI very quickly can dominate anything written about it, and the authors succeed in avoiding this trap. It was interesting to see that the authors basically dealt with Denial of Service attacks a couple of years before the "famous" DOS attacks on Yahoo and E-Trade. In short, reading the book won't make you a web security maven, but it most likely will prompt you to ask the right questions about the subject, and can certainly make you sound like one! Super book!
Rating:
Summary: Right on the mark!
Review: Having spent a dozen years in what used to be called EDP security, but not having concentrated in the area recently, I found that the book was perfect. It avoids belaboring what is now obvious to everyone, and succeeds in covering the whole spectrum of web security issues in a single volume. It is hard to write about the history of monetized plastic (credit, debit, and smart cards) without either going into great detail or sounding like there is a great new world dawning, but Garfinkel and Spafford tread that narrow line. Similarly, the nuances of PKI very quickly can dominate anything written about it, and the authors succeed in avoiding this trap. It was interesting to see that the authors basically dealt with Denial of Service attacks a couple of years before the "famous" DOS attacks on Yahoo and E-Trade. In short, reading the book won't make you a web security maven, but it most likely will prompt you to ask the right questions about the subject, and can certainly make you sound like one! Super book!
Rating:
Summary: Interesting, Informative, Novice to Intermediate
Review: I enjoyed this book. I found the writing to be easily understood. This is probably not an "Advanced" users guide, but is extremely useful for people who want to advance from a novice understanding to a more intermediate one.
Rating:
Summary: A good overview, but aging
Review: I spent quite a bit of time going through this book. It's not a bad book. Very comprehensive and thorough, and generally a pretty well balanced point of view. It acknowledges security is a trade off, and looks at many different options.I have 2 main problems with it. Firstly, it's simply getting a little old. While 85% of it is still relevant, I'd like to see a second edition. They spend too much time talking about Netscape 3 problems for my liking. Second is the reason it lost a star. The guys who wrote this obviously know their stuff, but in some ways know it a little too well. The result of this is when they go to explain a subject (public key infrastructure for example) they have a tendency to jump straight into the details, implementation issues, problems, etc, without ever giving you a big picture of it first - or only very briefly if they do. If you understand the basic principles of all security concepts, then this is great, but if like me, you bought this book to learn about fundamentals, I found myself on several occassions doing research on the web to understand the big picture before going back to the book. But for a good overview for people who are at least semi-technical, it's not bad.
Rating: 
Summary: Weak and not comprehensive
Review: In addition to being way out of date, this book misses some key issues and fails to "connect the dots" and present security as a process. There are other more complete and up to date introductions to security, that are written better and carry more weight. I would skip this title and instead read "secrets and Lies", "Access Denied:", or even "Hacking Exposed" if you're ready for more technical depth.
Rating:
Summary: Valuable to Technical & Non-Technical Readers
Review: This book is an ideal introduction to the broad landscape of security methods and technologies for non-technical users. It is also an excellent resource for IT professionals who need to quickly get up-to-speed on web security. My background is mostly "big iron", consisting of 24 years of mainframe and mid-range experience and a little more than a year in distributed computing (UNIX/Linux, network, etc.). In the good old days security consisted of RACF, ACLs, and some common sense rules about physical and logical access controls. Not so today, and until I read this book I had a nagging feeling that there was a large gap in my professional knowledge. Moreover, as a home user who spent a lot of time on the web I would get frustrated by messages issued by my browser about certificates. This book came to my rescue on all counts. The first two sections, The Web Security Landscape and User Safety, were illuminating. If a non-technical user only read these parts of the book he or she would come away with a good understanding of the risks faced on the web, and how to mitigate or eliminate them. The one complaint I have about these two sections is the material is woefully out of date. I subtracted a star from my rating for this reason. The next three sections of the book is a wide survey of security technologies that cover digital certificates, cryptography, web server security. These provided me with a basic understanding of technologies that I need to know as an IT professional working in distributed environments. When comparing what I needed to know about security in the mainframe world to what I need to know as an IT consultant I could not help thinking, "We're not in Kansas anymore!" The material was clear and easy to understand and built my personal self-confidence. This part of the book will not make you an expert by any means, but you will come away with a good grasp of the elements of web security and a very basic understanding of how everything works and fits together. Commerce and Society is the title of the book's last section and contains thought-provoking information on topics such as digital payments, censorship technology and the such. I especially liked the two chapters that addressed civil and criminal legal issues. Despite the fact that this book is out of date with respect to specific products it is a great introduction to web security. Unlike other O'Reilly books that are deeply technical, this one can be easily understood by home and business users as well as IT professionals. I personally gained a lot from the book and highly recommend it.
Rating:
Summary: Valuable to Technical & Non-Technical Readers
Review: This book is an ideal introduction to the broad landscape of security methods and technologies for non-technical users. It is also an excellent resource for IT professionals who need to quickly get up-to-speed on web security. My background is mostly "big iron", consisting of 24 years of mainframe and mid-range experience and a little more than a year in distributed computing (UNIX/Linux, network, etc.). In the good old days security consisted of RACF, ACLs, and some common sense rules about physical and logical access controls. Not so today, and until I read this book I had a nagging feeling that there was a large gap in my professional knowledge. Moreover, as a home user who spent a lot of time on the web I would get frustrated by messages issued by my browser about certificates. This book came to my rescue on all counts. The first two sections, The Web Security Landscape and User Safety, were illuminating. If a non-technical user only read these parts of the book he or she would come away with a good understanding of the risks faced on the web, and how to mitigate or eliminate them. The one complaint I have about these two sections is the material is woefully out of date. I subtracted a star from my rating for this reason. The next three sections of the book is a wide survey of security technologies that cover digital certificates, cryptography, web server security. These provided me with a basic understanding of technologies that I need to know as an IT professional working in distributed environments. When comparing what I needed to know about security in the mainframe world to what I need to know as an IT consultant I could not help thinking, "We're not in Kansas anymore!" The material was clear and easy to understand and built my personal self-confidence. This part of the book will not make you an expert by any means, but you will come away with a good grasp of the elements of web security and a very basic understanding of how everything works and fits together. Commerce and Society is the title of the book's last section and contains thought-provoking information on topics such as digital payments, censorship technology and the such. I especially liked the two chapters that addressed civil and criminal legal issues. Despite the fact that this book is out of date with respect to specific products it is a great introduction to web security. Unlike other O'Reilly books that are deeply technical, this one can be easily understood by home and business users as well as IT professionals. I personally gained a lot from the book and highly recommend it.
Rating: 
Summary: So you want to make money on the Internet?
Review: This book is based on my experiences from two years' worth of reporting on web security "advances" and running a small ISP on Martha's Vineyard. Although it's nearly impossible to keep up with the developments in web security, I've done my best to bring out an interesting and timely book.
This book basically has two kinds of information. The first is backing on the whole notion of web security and commerce: What are the real security risks on the web today? How can your server be compormised? How can somebody take over your browser? What threats are worth protecting against, and which should you let pass?
The rest of the book talks about the specific pieces of software that are used on the web today and the implementation problems that companies like Netscape and Microsoft have had getting out programs that are secure. I look at security issues with helper applications, Java, ActiveX, CGI scripts, and more.
This book was incredibly difficult to write because the whole web security landscape keeps changing every few months. Nevertheless, I think that you will find this book interesting and readable
Rating:
Summary: An excellent source of useful WWW and E-commerce information
Review: This book is rare indeed. It presents many topics only briefly covered in other books and gives users an excellent feel for the problems you will encounter in trying to setup and secure a WWW site. Besides the normal stuff, the authors show their innate knowledge of this subject area by including all the ins and outs of downloading information from the web. They also give all you want to know about digital certificates -- how to get them, what they do for you, and how they help to secure your electronic transactions. Besides all these items, the authors include an appendix on the problems Simson had in setting up his own ISP service. This section is also excellent and reveals the kind of knowledge that can only be gained by experience. All in all, a great book. If you are into Web security and Electronic Commerce, this is a good book to buy.
|
