Sunday, March 11, 2012

Impressions: Web Application Security: A Beginner's Guide

As you might remember, when I write impressions of a book it means I didn't read the book thoroughly enough (in my mind) to write a review. In that spirit, I read Web Application Security: A Beginner's Guide by Bryan Sullivan and Vincent Liu. I liked the book because the authors spend the time explaining the technology in question. For example, I appreciated the discussion on the same origin policy, featuring memorable advice like "the same origin policy can't stop you from sending a request; it can only stop you from reading the response" (p 175).

I had one small issue with the book, and that involved its introduction to Microsoft's STRIDE model. I blogged about this years ago in Someone Please Explain Threats to Microsoft. The Web sec book says on p 36:

STRIDE is a threat classification system originally designed by Microsoft security engineers. STRIDE does not attempt to rank or prioritize vulnerabilities... instead, the purpose of STRIDE is only to classify vulnerabilities according to their potential effects. This is immensely useful information to have when threat modeling an application...

To see my critique of STRIDE, please see my linked post. Basically, STRIDE is best describe as "bad stuff," and includes a mix of attacks and vulnerabilities with no real "threats."

Nevertheless, if you're looking for a compact and detail-packed exploration of Web application security, take a look at Web Application Security: A Beginner's Guide.

By the way, I've written alot about confusing terms like "threat," "vulnerability," "risk," etc. over the years. One of my earliest posts provides background -- The Dynamic Duo Discuss Digital Risk if you are so inclined.

1 comment:

Toby Osbourn said...

This looks exactly like the type of book I have been looking for, I think I will pick up the kindle edition.