Another surprisingly good security book from Syngress

I am a senior engineer for network security operations. Since I am not a developer, I was initially reluctant to read and review a book seemingly targeted towards programmers. From a non-developer, security professional standpoint, I believe "Hack Proofing Your Web Applications" (HPYWA) is an excellent book. Because HPYWA provides sufficient background, administrators will find it enlightening. Programmers should find it practical as well.

HPYWA is unique. One sees dozens of general networking and security texts, but few on securing applications. Since attackers are gravitating towards exploiting subtle application flaws, HPYWA's advice is timely and sorely needed. Talented authors (who should be credited chapter-by-chapter) explain security strategies for Visual Basic for Applications, CGI, Java, XML, ActiveX, and Cold Fusion. They tell how to avoid becoming a "code grinder" ("a developer who lacks creativity... bound by rules and primitive techniques"). They also discuss general exploit techniques, but not to the depth of a "Hacking Exposed" volume.

Crucially, throughout the book, the authors do not assume the reader is an expert in all technologies. They instead begin with solid introductions to languages and tools. These help non-programmers understand the issues, and give developers common foundations for code improvement.

I was particularly impressed by chapter 6, which explained how to conduct code audits and reverse engineering. Even without a great deal of programming background, I understood the author's explanations of format string vulnerabilities, cross-site scripting, and related problems. Chapter 7 was also excellent, as it showed how to disassemble Java byte code and alter it with a hex editor.

HPYWA is not perfect, however. Despite offering very strong coding advice, discussions of network-based security issues contained flaws. For example, the descriptions of denial of service on pages 13-14 and 285-286 are confused. On page 171, "SMTP" is not "Sendmail Transfer Protocol." Since I didn't read HPYWA to learn network security techniques, I didn't weigh these errors too heavily.

Developers will probably view HPYWA as a useful reminder of sound programming practices. They will also find the specific recommendations (avoid certain system calls, watch out for these formatting errors, etc.) practical and immediately applicable to their work. System administrators and security professionals will gain an understanding of the underlying weaknesses in the technologies they deploy and maintain. In short, HPYWA has a place on the bookshelves of both communities.[....]

Other Reviews

• Fragmented and a bit self-important, but still useful
• Hack Proofing Your Web Applications
• Another surprisingly good security book from Syngress