 |
|
There are resources available for the overworked or inexperienced system administrators; some of the best are offered for free on the Internet. Lincoln Stein notes in his introduction to Web Security: A Step-By-Step Reference Guide that he was uncertain about the commercial prospects of a book covering the same ground as his freely available Web Security Frequently Asked Questions list. I was concerned as well, but Stein's extension of the concepts presented in the FAQ made this book a welcome surprise.
After the obligatory, but still well executed, discussion of public key cryptography, the Secure Sockets Layer protocol (SSL) and the Secure Electronic Transactions standard (SET), Stein moves to Part III, the real added value of the book: specific security issues for the various operating systems, browsers, servers, and tools in popular use.
Both Windows NT and UNIX have serious security issues, but Stein resists the temptation to bash either platform out of hand. Instead, he uncovers the known weaknesses of the two major players (Windows 95 can be networked but is primarily a single-user system) and runs the user through, as the title intimates, a step-by- step procedure to secure the operating systems against attack. Ironically, the Macintosh turns out to be the most secure operating system, though the reason is that the base MacOS available at the time Web Security was written contained no remote network extensions and did not have a command interpreter (like Perl) installed. Once services like Perl and the Common Gateway Interface (CGI) are added the Mac can become as vulnerable as NT and UNIX. Furthermore, MacOS and Windows 95 have only limited concepts of user accounts and privileges; once a cracker is in, for the most part he or she has the run of the machine.
Another valuable set of chapters covers safe Perl and CGI scripting practices, complete with instructions for properly setting up Perl and CGI interpreters (e.g., don't put the interpreters themselves in the same directory as the scripts) and techniques for filtering out potentially dangerous inputs (like escape characters and command sequences).
Web Security: A Step-By-Step Reference Guide is a well-written book that will give new and overworked system administrators the on-point advice and online resources they need to improve their systems' security. It may not make the work week any shorter, but this book will help administrators avoid some of those 3:00 a.m. panic calls.
-- Curtis D. Frye (cfrye@teleport.com )
| Readability |
|
| Originality |
|
| Organization |
|
| Accuracy |
|
| Consistency |
|
| Depth |
|
| Timeliness |
|
| Editing |
|
| Design |
|
| Overall Value |
|
Explanation of ERCB rating scale: No stars = unacceptable, 1 Star = marginal, 2 Stars = average, 3 Stars = above average, 4 Stars = exceptional.