Java Security by Gary McGraw and Edward Felten

192 pages. $19.95 John Wiley & Sons 1997. Index, bibliography and two appendices. ISBN 0-471-17842-X. LoC QA76.73J38M354

Reviewed by Robert Bruen

Java and Java security should be on the top of list for those who run web sites or just surf the net. The only choices seem to be shutting off Java or running the risk of the hacker's idea of a joke that will cause you difficulties. The authors of this book were among the early discoverers of security problems with Java even as Java was being proclaimed to be secure. They have set up a program to continue to investigate Java security.

This book has had some well known security and Java folks give it praise, but I am less enthusiastic about the book. On the upside the book was prepared in 1996 making it an early entry. It also does explain enough for the reader to understand the security holes without it being a complete recipe for exploiting the weaknesses. The information presented is something that anyone who cares about Java should read and it is not expensive.

My complaint is that the book is short with lots of white space and too many repeats of phrases. It seems to be a few good papers stretched into a small book. There are only six chapters, a FAQ and reproductions of a few CERT advisories. It is not an in-depth look at Java security. I am sure that the authors have much more to give than appears here. The book is still worth reading because the information is useful, it is well written, just understand it is limited in scope. Since the information is about two years old it is somewhat dated. All of the problems mentioned have been, or should have been, fixed, for example at the time of the research Netscape was only at around 2.0. The embedded Java has been improved.

The biggest problems with Java are not the bugs in the code, but rather the design problems. The book describes the security architecture problems with reasonable suggestions for improvement. There is much to be done with respect to formal verification and there is much underway. Until some of the work on the security and cryptography aspects of Java is completed and matured, electronic commerce will not advance as it should. Java is necessary for it, but Java that provides confidence. I am glad these guys are helping out.