Authors: Bryan Sullivan and Vincent Liu

Publisher: McGraw-Hill  – 331  pages

Book Review by:  Venkat Balasubramaniam

The dilemma faced by firms that want to avoid intrusion and theft of their secrets (data containing customers’ names, quantities and dollar amounts of their purchases, to give one simple but critical example) by hackers is illustrated by the authors in the story below of  The Wizard, the Giant and the Magic Fruit Trees in the Epilogue of this very useful book.

Here is how the story goes:

The hero of this story is the wizard, who owns an enchanted orchard planted with fruit trees. The wizard lives in a tower within the orchard. In the tower is a collection of the wizard’s magic scrolls, crystal balls, wands and other valuable materials.

The wizard lets people living in a village nearby to pick his fruit and buy his magic potion. But the last time the wizard checked his orchard, he was shocked and dismayed to find that most of his trees had been wrecked.

To protect his fruit trees from intruders, the wizard had a moat built around his orchard.   The moat contained hot lava. The problem though was that the moat also kept away the good villagers who came to pick his fruit and buy the magic potion from him.

So the wizard got his friend the giant to help him. The giant was very tall and very strong, but not very smart. When villagers came by, the wizard called out to the giant to get the fruit. The giant would jump over the moat to give the fruit he had picked, to the villagers.

The giant understood that his job was simply to serve the villagers’ requests, and he followed the wizard’s instructions to the letter. So when a sneaky young man came by one day and asked the giant to fetch him the wizard’s collection of magic scrolls, he simply complied, going up to the tower, getting, and then giving away the wizard’s secrets to the young man.

The giant’s attributes of tallness and strength served the wizard well. But the giant’s assumption that he give villagers whatever they asked for, made him give away the wizard’s valuable secrets to a clever thief.

The wizard could give the giant a list of what he should not give to the villagers, but that would be too long a list, reasoned the wizard. So the wizard cast a spell on the giant that prevented him from entering the wizard’s tower. There was no need for him to go to the tower where the wizard’s secrets were stored. He also sat the giant down and explained to him very clearly that his job is only to pick and pass the fruit on to the villagers.

Once the rules were in place, the wizard felt secure that his secrets were protected, the villagers were happy to get the fruit and buy the magic potion they wanted, and the giant clearly understood his job – what to do and what not to do. (I suppose he was happy to have a job at all in today’s tough economy, and that too, using his attributes of being very tall and very strong!)

The above story is an excellent means of solving problems relating to data security issues. If you are an executive of a pharmaceutical firm for example, and a large chunk of your company’s revenue and profit comes from a drug developed by your scientists, and somehow hackers get into your computer system and steal the formula and other data relating to that key drug – an important company asset – how much in sales would the company lose and how do you prevent that from happening again?

This book has three parts to it and nine chapters.

Part I, entitled “Primer” is an introduction to web application security and its fundamentals. It points out the misplaced priorities that companies have and calls for a new focus. It explains differences between network security and application security and emphasizes the need to “think like a defender.”

In here are two chapters. The first has a list and discussion of ten problems, namely: injection; cross-site scripting (XSS); broken authentication and session management; insecure direct object references; cross-site request forgery; security misconfiguration; insecure cryptographic storage; failure to restrict URL access; insufficient transport layer protection; and unvalidated redirects and forwards.

The second chapter, on security fundamentals, deals with three issues: input validation, attack surface reduction, and classifying and prioritizing threats.

Part II, “Web Application Security Principles” has chapters dealing with: authentication; authorization; and browser security principles on same-origin policy, cross-site scripting, and cross-site request forgery; data-security principles and file-security principles.

Part III, “Secure Development and Deployment” deals with methodologies relating to “baking security in,” the holistic approach to application security, and industry-standard secure development maturity models.

This is a work that covers many matters on web application security. It is more than a beginner’s guide as the title suggests. It has topics that are at a higher than a beginner’s level. It is a valuable book, and the authors have done good work on it.

Bryan Sullivan is a security researcher at Adobe Systems, where he focuses on web and cloud security issues. He was previously a program manager on the Microsoft Security Development Lifecycle team and development manager at Hewlett Packard, where he helped to design HP’s vulnerability scanning tools, WebInspect and DevInspect.

Vincent Liu is a managing partner at Stach & Liu, a security consulting firm providing information technology security services to Fortune 1000 firms, global financial institutions, U.S. and foreign governments. He previously led the Attack & Penetration and Reverse Engineering teams for the global security unit at Honeywell International.