The Tangled Web: A Guide to Securing Modern Web Applications
By Michal Zalewski
(No Starch Press, paperback, list price $49.95 ; Kindle edition, list price $31.95)
When Michal Zalewski writes, people listen. And many software programmers pay — or should pay — very close attention to what he recommends.
Zalewski is an internationally respected information security expert who has uncovered hundreds of major Internet security vulnerabilities
“The dream of inventing a brand-new browser security model,” he states in The Tangled Web, “is strong within the community, but it is always followed by the realization that it would require rebuilding the entire Web. Therefore, much of the practical work focuses on more humble extensions to the existing approach, necessarily increasing the complexity of the security-critical sections of the browser codebase.”
Today’s Web indeed is a mess, a complex morass of “design flaws and implementation shortcomings” within a technology “that never aspired to its current status and never had a chance to pause and look back at previous mistakes,” he says. And: “The resulting issues have emerged as some of the most significant and prevalent threats to data security today….”
In his well-written new “Guide to Securing Modern Web Applications,” Zalewski states that “a substantial dose of patience, creativity, and real technical expertise is required from all the information security staff.”
Anyone who works with the Web application stack needs to clearly understand its built-in security vulnerabilities and the consequences that can occur when unwanted penetrations occur.
Zalewski’s 299-page book is structured into three parts – Anatomy of the Web, Browser Security Features, and A Glimpse of Things to Come — and 18 chapters:
- Security in the World of Web Applications
- It Starts with a URL
- Hypertext Transfer Protocol
- Hypertext Markup Language
- Cascading Style Sheets
- Browser-Side Scripts
- Non-HTML Document Types
- Content Rendering with Browser Plug-ins
- Content Isolation Logic
- Origin Inheritance
- Life Outside Same-Origin Rules
- Other Security Boundaries
- Content Recognition Mechanisms
- Dealing with Rogue Scripts
- Extrinsic Site Privileges
- New and Upcoming Security Features
- Other Browser Mechanisms of Note
- Common Web Vulnerabilities
Zalewski’s other published works include Silence on the Wire and Google’s Browser Security Handbook.
Despite the software industry’s many efforts to find security “silver bullets,” Zalewski contends that “[a]ll signs point to security being largely a nonalgorithmic problem for now.” What still works best, he says are three “rudimentary, empirical recipes”:
- Learning from (preferably other people’s) mistakes
- Developing tools to detect and correct problems
- Planning to have everything compromised.
“These recipes are deeply incompatible with many business management models,” he warns, “but they are all that have really worked for us so far.”
Zalewski’s book puts a bright, uncomfortable spotlight on the fundamental insecurities of Web browsers, but it also shows you how to improve the security of Web applications.
Whether you program Web apps, or manage Web app programmers, or are studying to become a Web app programmer, you likely need this book.
– Si Dunn‘s latest book is a detective novel, Erwin’s Law. His other published works include Jump, a novella, and a book of poetry, plus several short stories, all available on Kindle. He is a freelance book reviewer for the Dallas Morning News and a former technical writer and software/hardware QA tester.