Book Reviews

Book Reviews


Book Review: The Tangled Web - A Guide to Securing Modern Web Applications


By Stephen Northcutt
BookReview_Zalewski_The_Tangled_Web

The Tangled Web - A Guide to Securing Modern Web Applications

By Michal Zalewski

When I got home from my last trip of the year, a review copy was sitting in my work area. I had enjoyed Mr. Zalewski's previous book Silence on the Wire so I was looking forward to taking a look at this. What I did not expect was that I would not want to put it down, well, except for a trip down the invisible gorilla rabbithole. The is the second time in December that I have found a book to be gripping, the other was Too Big to Fail: The Inside Story of How Washington and Wall Street Fought to Save the Financial System -- and Themselves. But The Tangled Web is about code and html and javascript - how could it be gripping? Mostly because it scared the heck out of me. I know a little about the web, I have inserted iframes in some of the pages on SANS.edu and and have worked with XFBML. I even have a short section on web security in a course I author and teach, MGT 512 Security Leadership Essentials. But I had no idea how much I do not know. I wasn't able to follow everything in Zalewski's book, but enough to know I am going to dig in a bit deeper and buy a copy for my lead developer and CISO, and then we are going to chat about some of this.

Tangled opens with a bit of history, how we got to where we are. Part I: The Anatomy of the Web was the most valuable section to me. Again, I had some murky understanding about how the web works and have played with parts of it, but the book really pulled it together for me. Zalewski uses lots of examples which really helped me follow along. At the end of the chapters, he has a section called Security Engineering Cheat Sheet. It scares me a little that after reading the chapter I didn't understand every item in the cheat sheet, but I intend to. My favorite chapter was the Javascript/JSON chapter. There are a number of profound insights in this chapter, for instance, the script processing model. I never realized that when the browser is processing a chunk of code, pretty much everything else comes to a halt. This chapter has the clearest explanation of eval(), I have ever seen.

I wish there were more specific browser security tips in Chapter 9; page 162 has some practical advice, but mostly as I read the chapter, I just got more concerned that browsing can never be done safely. Along that line, I may have missed it, but I do not think NoScript was discussed, that might have been handy in the click jacking discussion. The back cover says you will learn how to do a number of tasks. I don't think that promise is kept, but you will learn about more web related technology than you will ever have known existed and that is possibly a starting place to learn how.

The bottom line, this is a must read for any web developer, anyone that wonders why the Blue Coat proxy system chucks out such strange packets, and anyone that really wants to understand how the web works from a security perspective.