||New Reviews| |Software Methodologies| |Popular Science| |AI/Machine Learning| |Programming| |Java| |Linux/Open Source| |XML| |Software Tools| |Other| |Web| |Tutorials| |All By Date| |All By Title| |Resources| |About||
Keywords:IT security, web development, ASP, Java, scripting, cracking
Title: Innocent Code
Author: Sverre H. Huseby
Verdict: Highly recommended to all web developers
I don't know about innocent code, but by the time I had finished this book I certainly felt like an innocent coder. In many respects this is the security book that all developers need to read. Where the majority of books on security are devoted to the system admin view of the world, or are about the security ins and outs of this or that platform, this book is focused exclusively on the programmer end of the food-chain.
Sverre Huseby's book is subtitled a security wake-up call for web programmers, and for once this isn't publisher's hype. Huseby succeeds in showing up the inherent dangers of developing in a web environment, and if it doesn't scare the hell out of you then you're either very good or very stupid. In the process he lays down a set of rules, 27 in all, which help to minimise the risks he exposes in even the most innocent of transactions.
What are these dangers that he highlights so effectively - very often with example code and step-by-step scenarios - and which we have to guard against? They range from session stealing to SQL injection to the dangers of security through obscurity and more. These various issues are grouped into Basics (HTTP headers, sessions etc), Passing Data to Subsystems (SQL and shell command injection), User Input, Output Handling (with a focus on cross-site scripting), Web Trojans and finally Passwords and Other Secrets.
Reading through these different topics it soon becomes clear that total paranoia is a state that all web developers should aspire to. Forget issuing that helpful and detailed error message, it might be giving too much away to malevolent forces out on the other side of invisible security fence. It's also clear that the ingenuity and skill of attackers should never be underestimated.
As always, of course, there is plenty here for the would-be attacker to learn too. While the seasoned cracker may not learn anything new, there are enough details here to tempt the casual player to try a few tricks if they feel so inclined. There's no shortage of this sort of stuff out there already, so there's no harm done, and if it forces the rest of us to look at our code again then it's surely worth the risk.
At the end of the day Huseby has produced a useful book that ought to be required reading for all web developers. It is not just adherence to the 27 rules that he proposes throughout the book, he also points out how sticking to solid object-oriented design can also help to minimise risks. It's sound advice, and one that developers ingore at peril.