The Web is typically viewed from three major perspectives: user, admin and provider. The second edition of Web Security, Privacy and Commerce dives into major security topics from each of these perspectives. The resulting scope is obviously ambitious, making comprehensive coverage of any single topic impossible. But the book largely succeeds at uncovering the underlying issues at play in the constantly evolving world of Web security.
Web Security is largely rewritten and expanded for this second edition. For the most part, the book meets the ambitious agenda set forth by authors Simson Garfinkel and Gene Spafford. While Web Security will live in the shadows of their more famous Practical Unix and Internet Security, it fills a need not addressed by similar titles.
Security professionals with even modest technical backgrounds will be tempted to skip the background-oriented chapters. Skimming them, at least, is recommended, as a few gems are buried here.
The chapters on personal privacy provide an overview of issues in this increasingly important area. As the authors demonstrate, even users who think they're providing "anonymous" information may be surprised at the honing powers of triangulation. On average, there are only eight people in a given ZIP code who share the same birthday. By providing a Web site with your birthday, ZIP code and age, you've likely given enough information to pinpoint your identity. Later in the book, the authors illustrate the real implications of these issues given the current lack of U.S. legislation regarding personal privacy on the Internet.
The third quarter of the book, "Web Server Security," should have a disclaimer: "Only an introduction to a huge topic." At the very least, more pointers should be provided to other more thorough references. Some issues are given adequate treatment (e.g., server-side certificates), whereas others are left either outdated or confusing (e.g., network scanning programs). While providing an overview of security topics for admins and Web-application engineers, the topics are far from comprehensive.
The final section, "Security for Content Providers," provides insightful coverage on a number of topics not found together in other places. These run from technology-related topics, to pornography and filtering, to the murky world of intellectual property in cyberspace. At times, the authors editorialize, "Although American businesses have argued repeatedly for the chance to police their own actions in the area of privacy of data collection, it appears that few are actually up to the task." But these comments are usually not too strong to offend most readers.
As expected, Web Security is well researched and expertly written. One could argue that the scope is too ambitious, which occasionally leads to a feeling that the text is lacking a definitive focus. By design, the book is largely a set of interconnected topics, successfully organized into four major sections: background, user perspective, administrator perspective and content provider perspective. Analysts involved in Web security are well-advised to add this book to their libraries.
The obvious question is, if you've already read the first edition, Web Security and Commerce, is it really worth your time to read this latest edition? The short answer: yes. The world of Web security moves at lightning speed, and while most of the concepts from the 1997 edition remain intact, more than enough new topics requiring coverage have emerged to warrant upgrading. As the change in title indicates (the addition of the word "Privacy"), new chapters are dedicated to privacy expectations, policies and law. Fortunately, the remaining chapters were given equal effort in their updates, all of which makes the book easy to recommend.
About the author: Patrick Mueller is a book reviewer for Information Security and a security analyst for a Chicago-based security consulting firm.