Customer Reviews

J2EE & Java: Developing Secure Web Applications with Java Technology (Hacking Exposed)

5 star:		(3)
4 star:		(0)
3 star:		(1)
2 star:		(0)
1 star:		(2)

 

 

The book uses an example Java application which is intially very unsecure, and throughout the book the vulnerabilities of the example are discussed and countermeasures are written. Then the application is webenabled, creating new vulnerabilities which are fixed again, and so on. This way the complex material is covered in an easy accessible yet comprehensive way, without becoming lengthy. This book is a must have for any serious Java web developer interested in application security. Not recommended for beginners, though.

This book has some nice examples and is fairly complete, but some sections are basically a regurgitation of the java.sun web site!
In many technical books, it is common to find multiple authors, each writing a section based upon his/her expertise. Since each author has a specific writing style and personality, there is usually a person (or persons) charged with proofing and approving the sections as well as working to make the transitions seamless and consistent. This book was written by three different authors and it would appear to me that at least one of the authors turned in work that is remarkably similar to existing sources!

Here is a sample of the JCE section in HackingExposed:
"The Java Cryptography Extension (JCE) package provides a framework for encryption and decryption, key generation, key agreement, and MAC. Encryption allows symmetric, asymmetric, block, and stream ciphers, with additional support for secure streams and sealed objects."
Now here is the verbage from the java.sun.com website:
"The JavaTM Cryptography Extension (JCE) provides a framework and implementations for encryption, key generation and key agreement, and Message Authentication Code (MAC) algorithms. Support for encryption includes symmetric, asymmetric, block, and stream ciphers. The software also supports secure streams and sealed objects."

To be fair, it appears that the problems are confined to the first section of the book. The final 2/3 of the book are closer to what I expect from the Hacking Exposed series.

If this book had been titled differently, I would have had no
reason for complaint: it gives a good introduction to Java
Security, and how to deploy it in various forms.

But it *is* titled 'Hacking Exposed'. That is now taken
to be an indication of a particular approach to security,
... The blurb acknowledges it: 'The proven Hacking Exposed
methodology' is the first thing mentioned under 'What You Learn'.

And I bought this title without second thought -- I have
nothing but praise for the previous books, and expected
to find the same approach and the same quality here.

In this book you find a lot of information on prevention, but
very little on actual vulnerabilities. As a result the
message is far less urgent. If I can demonstrate a 'hack'
the message gets across very quickly: we have to do something
about it now. But if all I can do is point to a text that
says 'attackers can potentially attach a debugger to our
application and watch the code as it runs', urgency is gone.

There's another point there as well: 'our application'.
Those words probably sum up the difference from, say, 'Hacking
Exposed Web Applications'. This book is not from the point of
view of the hacker that the previous books used so well to get
their message across. This is 'we', protecting our assets from
a considerably more nebulous hacker than has appeared earlier.

The difference is the same as between an actual security
incident on one hand, and the report of a threat analysis on
the other.

In short, this is not a Hacking Exposed book. It's a Java
Security Exposed book. As such it probably merits four stars.

But ... as it is marketed as a Hacking Exposed book, and,
in my opinion, doesn't live up to the expectations that goes
with that trademark, I'm afraid I can't give any rating at all.
(1 star seems to be the lowest possible, so that is what I give it.)

I'll be very careful about purchasing the next red book
with "Hacking Exposed" all over the front cover. I just
might find that I have bought 'Hacking Exposed - ISO 17799'.

This is a very good book on java security that starts pretty much from the ground up so you have to know much about security to read it. The first part of the book starts out with
some of the java security basics (classloading, protection domains, etc.) and then goes through the JAAS, JCE, and JSSE modules.

The second part of the book goes through how to use security in stand alone java applications and what pitfalls you need to watch out for. The book also details where security is lacking or not mature and what the alternative are.

The third section of the book goes through security in the J2EE environment and where the J2EE containers can help out the developers by doing most of the work for them.

Overall this book provides a very good overview of security in all the java environments while not requiring previous security knowledge. I highly recommend it.

This is one of the best books I've read on J2EE security. The recommendations in this book improved my exisiting production applications and development designs.

Some may think this unfair, so I will be brief. I'd like to find a current edition of something like this. Certainly in the family of Hacking Exposed.... a book on the state of Java (1.2 maybe?) and J2EE (1 maybe?) this book is 8 years old. JEE r6 is out as is Java SE 6, soon to be 7. As for the state of vulnerabilities both new and defeated, that too is a completely different landscape now. It would be wonderful for a text on vulnerabilities based on JEE 6 and JSE 6 or 7.