Book Reviews

January 2003

Web Hacking: Attacks and Defense.
By Stuart McClure et al.; published by Addison-Wesley, 800/282-0693 (toll-free phone), 515/284-2607 (fax); 492 pages; $49.99.

Hacking Exposed Web Applications: Web Application Security Secrets and Solutions.
By Joel Scambray and Mike Shema; published by McGraw-Hill/Osborne Media, 800/262-4729 (phone), www.osborne.com (Web); 386 pages; $49.99.

Scambray There is an unofficial time unit called the "ohnosecond," which is the amount of time between when you realize you left your keys in the car and when the car door locks. At such times, security becomes a headache, so the owner may not be so quick to lock the door the next time. Thieves, whether operating in the real or virtual world, are always ready to take advantage of situations where the desire for convenience has created a security vulnerability.

McClure Web Hacking: Attacks and Defense and Hacking Exposed Web Applications are two recent additions to the literature that make this same point. Specifically, both show how poorly written software and misconfigured Web servers make the penetration of corporate computer assets child's play.

Both books provide step-by-step instructions in hardening servers against attack. For those familiar with the Hacking Exposed series, Web Applications uses the same easy-to-read and well-organized approach. Web Hacking contains an almost identical amount of content, but it is written in a slightly more technical manner.

Both works also clearly explain how hackers gather information, acquire targets, gain control of systems, and cover their tracks. And readers will learn how vulnerabilities pervade every facet of computing, from software to scripts to mark-up files.

Either of these books are fine choices for security professionals with network security duties. Those who choose to ignore these perils can expect the corporate data to fare the same as many an unlocked car: gone in 60 seconds.

Reviewer: Ben Rothke, CPP, CISSP (certified information systems security professional), is a New Jersey-based information systems security consultant. He is a member of ASIS
International.

Interested in writing reviews for Security Management? Contact Michael Gips, senior editor: 703/518-1458; mgips@asisonline.org.

back to Security Management Online
Copyright 2003 Security Management Magazine.
All rights reserved.
This material may not be published, broadcast, rewritten or redistributed without permission.
For permission email: Sherry Harowitz.
Report any broken links to the webmaster.