Tangled Web: A Guide to Securing Modern Web Applications
by Michael Zalewski

No Starch Press 2012.
ISBN ISBN 978-1-59327-388-0 . Amazon.com USD 29.97, Table of Contents

Reviewed by  Richard Austin   January 19, 2012 

We've all experienced a suspicion that is there something basically wrong with the world-wide web and how we use it. Browser vulnerabilities, web-based exploits and malware continue to appear in a regular hit parade despite our best efforts to bring some order and safety to our interactions with the online world. In his second book (the first being the sobering Silence on the Wire reviewed by Bob Bruen in the May, 2005 issue), Zalewski provides an explanation of how we find ourselves in the midst of these troubles and offers suggestions for a way forward.

The first of the book's three parts, "Anatomy of the Web", provides an introduction and overview of just how we came to find ourselves on slippery footing in the midst of a murky swamp with various species of alligators swimming just below the surface. The author displays a brutal honesty as evidenced by this telling observation on what passes for "risk management" in some organizations - an attitude that "structured inadequacy is almost as good as adequacy and that underfunded security efforts plus risk management are about as good as properly funded security work" (p. 5).

Even for the many of us who have lived through the "web years", Zalewski's recounting of the very human story of how Tim Berner-Lee's vision of a practical way to build active documents grew into the mammoth, life-permeating web platform still provides a well-organized background perspective for the material that follows. We see that the web was never envisioned to be the critical infrastructure that it became and that as design decisions made for its original purpose began to show their limitations, a bevy of vendors stepped up to address them and put their particular stamp on the developing technology. Though many recognized that standardization was part of an interoperable solution, the rapid pace of commercial innovation and technological change led to standards being largely obsolete by the time they were approved and having little effect on how the web actually worked in practice. Presentation of important web technologies (encoding, frames, cookies, etc) is both detailed and highly readable (demonstrating the author's deep knowledge of the subject).

With a solid introduction to the web's anatomy, the reader is prepared for the second part, "Browser Security Features", which reviews the tactics intended to improve the security of the web experience. Major security features such as "content isolation logic", "origin inheritance", etc, are covered in their own chapters with honest discussion of their benefits and shortcomings. I must admit that your humble correspondent found this part of the book quite challenging to read and digest and, more than once, had to make use of Zalewski's copious references to catch up with the author's presentation . The third and final part provides "A Glimpse of Things to Come" while discussing new security features that are being developed (or still at the discussion stage). While perhaps not things that can be utilized in applications today, they provide an interesting glimpse into the current state of thought. Of special note is Chapter 18, "Common Web Vulnerabilities", that provides concise explanations of the major vulnerability classes discussed throughout the book. So if you find yourself slightly confused about the distinction between XSS and CSRF, a quick glance through this topically-organized chapter will make things clear.

Most chapters conclude with a "Security Engineering Cheat Sheet" which provides concise guidance on dealing with the issues highlighted in the preceding material. It is tempting to say that these alone are worth the price of the book but without the preparation provided by the other material one wouldn't understand why the advice makes sense.

This book goes far beyond oft heard laments such as "the web is a mess" and catalogs of vulnerabilities to take a broad, overall look at how browsers and the web came to work the way they do and the challenges faced in changing the way they work in order to improve overall security. Of particular value is the discussion of how features interact, sometimes in unexpected ways, to make what seems an innocuous or even beneficial change become a disaster waiting to happen. The practical guidance on how to avoid such pitfalls and do a better job with security using the currently available technology is both timely and to-the-point.

Highly recommended for technical security professionals, web architects and senior web developers.

Before beginning life as an educator and independent cybersecurity consultant, Richard Austin (http://cse.spsu.edu/raustin2) spent 30+ years in the IT industry in positions ranging from software developer to security architect. He welcomes your thoughts and comments at raustin2 at spsu dot edu