TechBookReport logo

Keywords:IT security, web development, ASP, Java, scripting, cracking

Title: Innocent Code

Author: Sverre H. Huseby

Publisher: Wiley

ISBN: 0470857447

Media: Book

Verdict: Highly recommended to all web developers

I don't know about innocent code, but by the time I had finished this book I certainly felt like an innocent coder. In many respects this is the security book that all developers need to read. Where the majority of books on security are devoted to the system admin view of the world, or are about the security ins and outs of this or that platform, this book is focused exclusively on the programmer end of the food-chain.

Sverre Huseby's book is subtitled a security wake-up call for web programmers, and for once this isn't publisher's hype. Huseby succeeds in showing up the inherent dangers of developing in a web environment, and if it doesn't scare the hell out of you then you're either very good or very stupid. In the process he lays down a set of rules, 27 in all, which help to minimise the risks he exposes in even the most innocent of transactions.

The book takes a refreshingly language-independent course, with examples and code in Java, VBScript, JavaScript, Perl, PHP and more. The dangers he highlights are independent of any given development platform, again in contrast to many other IT security books. This also means, of course, that improving security is also language and platform independent.

What are these dangers that he highlights so effectively - very often with example code and step-by-step scenarios - and which we have to guard against? They range from session stealing to SQL injection to the dangers of security through obscurity and more. These various issues are grouped into Basics (HTTP headers, sessions etc), Passing Data to Subsystems (SQL and shell command injection), User Input, Output Handling (with a focus on cross-site scripting), Web Trojans and finally Passwords and Other Secrets.

Reading through these different topics it soon becomes clear that total paranoia is a state that all web developers should aspire to. Forget issuing that helpful and detailed error message, it might be giving too much away to malevolent forces out on the other side of invisible security fence. It's also clear that the ingenuity and skill of attackers should never be underestimated.

As always, of course, there is plenty here for the would-be attacker to learn too. While the seasoned cracker may not learn anything new, there are enough details here to tempt the casual player to try a few tricks if they feel so inclined. There's no shortage of this sort of stuff out there already, so there's no harm done, and if it forces the rest of us to look at our code again then it's surely worth the risk.

At the end of the day Huseby has produced a useful book that ought to be required reading for all web developers. It is not just adherence to the 27 rules that he proposes throughout the book, he also points out how sticking to solid object-oriented design can also help to minimise risks. It's sound advice, and one that developers ingore at peril.

Hit the 'back' key in your browser to return to subject index page

Return to home page