Review of Web Security Sourcebook

Web Security Sourcebook
Aviel Rubin, Daniel Geer, and Marcus Ranum
John Wiley & Sons, Inc.

Reviewed by Nick Christenson,

May 8, 1998

There are a lot of books out there these days on computer security. Frankly, when I saw this book on the shelf, I didn't give it much thought, despite the fact that I'm familiar with and deeply respect other published works by these authors. I've read so many books on computer security that I didn't think that this book would add much to the litany of available titles. It wasn't until a friend recommended that I check this book out that I did so. What I found was a book that occupies a narrow, but very useful niche in the literature.

In essence, the book can be divided into two parts. The first part covers client side Web security issues and should be of general interest to anyone who accesses the Web. The second part covers server issues and is intended primarily as a reference to Webmasters. The issues in the book are written clearly and in a straightforward manner. Where applicable, illustrations provide a helpful context for the written explanations.

The chapters on client side issues are well considered and appropriate reading for everyone who surfs the Web. This section answers all the basic questions with a great deal of clarity. This includes the issues surrounding cookies, Java, ActiveX, etc.. One doesn't have to be an Internet guru to understand these issues and know how to evaluate whether one should take actions to protect oneself. At the same time, there is enough detailed information here so that all but those most thoroughly involved in browser security issues are likely to learn something. The major downside to this section is that it is immediately out of date. The current versions of Internet Explorer and Netscape Navigator as of the time of the book's final editing were obsolete almost immediately after the book's publishing. It would be great to see some updates posted to the book's web site that covered more recent browser versions.

The server security chapters, which make up the bulk of the book, are far more advanced. While someone who has never maintained a Web server before can doubtless understand a number of the issues raised sufficiently to raise their consciousness about Web security threats considerably, a Webmaster with at least some understanding of how their Web server works is really the target audience.

Some of the issues discussed include Server Side Includes, CGI programming, interactions with firewalls, and a discussion of Web commerce. These sections are all pretty good, and although most of this material is available piecemeal from various web sites, it's useful enough just to have it all linked together in one place. The biggest suggestion I would have made would be to include some solid examples in the CGI programming section, rather than just relate what some of the programming pitfalls are. For example, I think it would have been much more useful to have shown a two scripts for each language covered that do the same thing, one that was written in a responsible, secure manner, and one that wasn't.

It is alarming how little real attention is paid in the information industry to security issues. Even though lip service and sensational stories abound, still the situation doesn't improve. The lack of understanding of security issues among Web citizens is, frankly, appalling. This book can really help, and it's appropriate that just about everyone involved with the Web in any way read it. Unfortunately, I think it's most likely to be read by those who need to read it least. This is a good book that covers well the material it intends to.


The Web Security Sourcebook is a good book covering web security issues and intentionally goes no further than that. The information in the first few chapters should be read and understood by everyone who accesses the Web. The rest of the book should be read and understood by everyone who has a hand in maintaining a Web server.

Click here to return to the index of reviews.