Review by Steve Hardwick

No Starch Press, November 2011, 320 pp., $49.95

In a recent survey by Veracode in December 2011 found that more than 80 percent of approximately 10,000 web applications examined failed security testing. This data shows that web applications provide a fertile ground for hackers to launch their malware. Obviously web developers still have some work to do to make their applications secure. The Tangled Web by Michal Zalewski is targeted toward web application developers and security professionals that have a solid understanding of the web and browser operations at an operational level. The author will go into fairly technical details assuming that the reader has the necessary skills to understand the technology discussed.

After an introductory chapter outlining some security fundamentals, the book is split into three parts. The first part covers browser and web technologies. Specific attention is paid to vulnerabilities and how they became to be part of the infrastructure. The second part covers browser security and highlights some of the ways to mitigate the inherent holes in the current technology. The final portion covers some of the new vulnerabilities that are expected to come in the near future. With a couple of exceptions, most chapters are concluded with a security engineering cheat sheet. This gives a summary of the topics covered in the chapter and serves as a guide to implementing some of the technology discussed. It provides a useful quick reference to the books contents after the reader has completed their read through and can be used as a design aid on future projects.

Part One goes into some depth on the various technologies used by browsers, both their inherent operating infrastructure and the services used over the web. Attention is paid to areas of the technology that are open to exploitation. In many cases the author outlines how some of the weaknesses came into being and provides a good view into the difficulty of building this technology. Part One is broken down into chapters that cover the different pieces of the browser function. Both internal processes, HTML and CSS parsing for example, are covered plus external processes, HTML and URL parsing, are reviewed. Two chapters cover additional programming capabilities of the browser i.e. JavaScript and plug-ins.  Throughout this section many examples are given on how the vulnerabilities can be exploited. This gives the reader a better understanding on how a hacker would go about using these weaknesses. In some cases a chapter has a limited discussion of the topic due its wide complexity. The author does include references to other works that cover the topic in greater detail and then focuses on key areas that are relevant to web security.

Read the rest of this entry »

In its public beta version, Chrome was just an experimental browser, at first without even bookmark management. In spite of Infoworld declaring “Firefox is dead” this year, at least that browser for the Mac is years beyond experimental status. But as of this week, Chrome for the Mac is out of beta test and into a full release, the first of many. It’s promised to be fast, open and secure. A business user might consider Chrome as their window to the Web.

Picking a browser is like choosing a home repair store. You develop a habit of using one and stop thinking about the alternatives. Chrome is definitely a faster browser than Firefox in our use, delivering a payoff in the “time is money” formula. If you browse a lot, Chrome could be an upgrade. (Safari’s performance is much closer to Chrome’s)

But Chrome’s got some steps to catch up in other areas. In the Mac version we downloaded this week, some Web sites aren’t working completely. Our TypePad account editor (where we publish the 3000 NewsWire blog) won’t let us resize graphics for posts in Chrome. The editing features at the Constant Contact email site also won’t perform with Chrome for the Mac, either.

This puts Chrome in a category with the iPad: very fast and slick for consumption of information. Not so good for creating messages and more. As for the death of Firefox, that obituary shouldn’t be written yet. 350 million users won’t expire overnight. Read the rest of this entry »

Developers now have the iPad software development toolkit, so the behavior of the iPad interface is being shared via YouTube videos. Nobody can demonstrate the multitouch gestures yet — these simulations use a mouse to mimic the hand touch interface. If you’ve used the browser in the iPhone, there are few new wrinkles here. Best improvement is a keyboard closer to full-size. This might be the best use of the iPad’s keyboard that we’ve yet seen. (The link below is Flash, so again, apologies to the iPhone and iPod Touch users out there.)

In short, the iPad’s browser will be Safari and probably nothing else, since Apple wants to control this aspect of the iPad experience. But this Safari demo shows how the iPad can be a powerful research tool for gathering information from those Web business resources which don’t have a dedicated iPad app yet. The advantage to using this rather than a MacBook lies in the ability to share your results by just passing the iPad around — something cumbersome with a laptop, or even a netbook.

(Above video courtesy of appadvice.com.)