Web Security Sourcebook

This is an excellent "all-topics" covered book about web security. The book covers both server and client side considerations, as well as deployment issues (e.g., position of web servers and firewalls). The authors are among the most qualified security pundits in the industry - Marcus Ranum practically invented the firewall, and explains in lay terms the factors that influence web and server firewall deployment. Dan Geer and Aviel Rubin make outstanding contributions as well.

Before reading this book, I thought I understood the important security issues on the web. Boy was I wrong. This book is an excellent guide to the real dangers on the web and how to protect yourself. It is easy reading, although in some parts I found it to be a bit too technical. However, it sure is nice to know that I'm reading something where the authors really know what they are talking about, unlike many technical books that you find nowadays.

The coverage of technical issues was adequate for the beginner. I was disappointed at having to fend off what seemed like one or more typographical errors per page. Ranum's infatuation with his own eccentricity and overeagerness to engage in name-dropping muddy the book just as they plague his technical conference participation.

Written in a clear and understandable style, this book speaks directly to anyone involved in designing, evaluating, and improving world wide web security. It plows through the vendor rhetoric and names names, identifies specific weaknesses, and gives you the prescription for your browser and server security ills. While you may not like the medicine (such as blocking all Java, JavaScript, and ActiveX at your firewall) you cannot argue with the results, namely significantly improved web security. This book should be part of the basic library for security managers, system and network administrators, world wide web developers, and web application consultants. It bears reading more than once, trust me.