Java Security [Paperback]

Gary McGraw (Author), Edward W. Felten (Author), Edward Felten (Author)

Book Description

ISBN-10: 047117842X | ISBN-13: 978-0471178422 | Publication Date: December 31, 1996 | Edition: 1

"This book is mandatory reading for every user and developer of webware." —Peter G. Neumann Moderator of the Risks Forum

Do you know how to sort out fact from fiction when it comes to Java security? Did you know that whenever you surf the Web with Netscape or Internet Explorer you are using Java? That means that someone else's code is running untested on your computer. Don't wait for a hostile applet to show you how vulnerable your site is. International security experts Gary McGraw and Edward Felten —leader of the famed Princeton team —tell you how Java security works, and how it doesn't.

McGraw and Felten give you all the information you need to create a reasonable Java use strategy. Java Security gives you:

• Guidelines for using Java more safely today
• What to expect in the Java security future
• A clear treatment of the risks of using Java
• Vital information explaining the three prongs of the Java security model: the Byte Code Verifier, the Applet Class Loader, and the Security Manager
• Clear explanations of holes in the Java security model

Whether you're a webmaster, an information technology manager charged with creating an intelligent security policy for your organization, or a concerned Web user, this book is must reading.

visit this book's companion web site at: http://www.rstcorp.com/java-security.html

visit our web site at: Ihttp://www.wiley.com/compbooks/

Editorial Reviews

Amazon.com Review

Right at the beginning the authors admit that " ... there is no black-and-white answer to the question, should I use Java?," and that the purpose of this book is to help you make your own decision. As an aid to systems administrators who are judging whether to enable Java on their company's computers, this book is worth the short time it takes to read it.

Java Security begins with a description of the aims and features of the Java language and its security model, a description that will hold no surprises for the moderately experienced Java programmer. Authors Gary McGraw and Edward W. Felten, both professional hunters of Java security flaws, then spend a little too long detailing their past glories: the flaws in Java that they and others have found, but have long since fixed. They also list ongoing nuisance problems, suggestions and predictions for Java's future, and a short list of "antidotes" users can take to avoid risks.

Review

Read the full review for this book.

Securing Java, a successor volume by Gary McGraw and Edward W. Felten to their 1997 Java Security, is an ambiguous book. Securing Java is really about insecuring Java. It's about errors, errors of strategy and tactics, errors existential in nature, errors which potentially allow the malevolent cracker to code what is literally a killer Java applet.

McGraw and Felten are part of the security research community. They know whereof they speak and describe the taxonomy of nearly every recorded Java security lapse, whether inherent in Sun's design or resultant from vendor miscues in virtual machine implementation. While many of the holes in the model have already been patched, the emphasis is on what types of things to look for, from what directions one might anticipate finding a security hole. "Security holes can be likened to pitons," the book says, "Sometimes one piton is enough to help a climber make it to the top ... other times, more than one piton may be needed."

Securing Java is excellently edited and designed, a gripping technical "whatdoneit" that should have Dilbert sitting on the edge of his seat.The publisher is daringly operating under the theory that you will like what you see and need a copy to carry with you on the airplane. The authors do not believe that the free web version will impact sales of the printed book. In any event, you can order the paper book from the web page. --Jack Woehr, Dr. Dobb's Journal -- Dr. Dobb's Journal

See all Editorial Reviews

Product Details

• Paperback: 192 pages
• Publisher: Wiley; 1 edition (December 31, 1996)
• Language: English
• ISBN-10: 047117842X
• ISBN-13: 978-0471178422
• Product Dimensions: 9.1 x 7.4 x 0.4 inches
• Shipping Weight: 13.6 ounces
• Average Customer Review: 4.8 out of 5 stars  See all reviews (4 customer reviews)
• Amazon Best Sellers Rank: #2,569,462 in Books (See Top 100 in Books)

More About the Author

Gary McGraw is the CTO of Cigital, Inc., a software security and quality consulting firm with headquarters in the Washington, D.C. area. He is a globally recognized authority on software security and the author of eight best selling books on this topic. His titles include Java Security, Building Secure Software, Exploiting Software, Software Security, and Exploiting Online Games; and he is editor of the Addison-Wesley Software Security series. Dr. McGraw has also written over 100 peer-reviewed scientific publications, authors a monthly security column for informIT, and is frequently quoted in the press. Besides serving as a strategic counselor for top business and IT executives, Gary is on the Advisory Boards of Fortify Software and Raven White. His dual PhD is in Cognitive Science and Computer Science from Indiana University where he serves on the Dean's Advisory Council for the School of Informatics. Gary served on the IEEE Computer Society Board of Governors, produces the monthly Silver Bullet Security Podcast for IEEE Security & Privacy magazine (syndicated by informIT), and produces the Reality Check Security Podcast for CSO Online.

company www.cigital.com
podcast www.cigital.com/silverbullet
podcast www.cigital.com/realitycheck
blog www.cigital.com/justiceleague
book www.swsec.com
personal www.cigital.com/~gem

music http://www.amazon.com/dp/B003JPNV1I/?tag=lastfmmp3-20

Customer Reviews

Most Helpful Customer Reviews

7 of 7 people found the following review helpful:

4.0 out of 5 stars Good for 1996, April 3, 2002

By 

Goldin Evgeny (Tel-Aviv, Israel) - See all my reviews
(REAL NAME)   

This review is from: Java Security (Paperback)

I'm writing this review in April, 2002 when IE 6.0 became a standard browser and Netscape is RIP.
This book was written 6 years ago in the days of NN 2.0 and IE 3.0 .. Although it's more then
outdated by now it clearly explains what security risks exist for Java-enabled browsers
and answers my (and may be your) question "How the hell applets can break through Security Manager ?!"
It's main idea is to explain readers what harm applets can do, why is it possible at all
and what is done about the subject by the browser manufactures. Good work for 1996.

Note that it's not "Java security book" in the terms you may think today - in 1996 Java
was only understood as a flashy applets popping-up in the Web.

2 of 2 people found the following review helpful:

5.0 out of 5 stars Great Java security book, October 30, 2000

By 

Ben Rothke "Author of 'Computer Security: 20 ... (USA) - See all my reviews
(REAL NAME)   

This review is from: Java Security (Paperback)

If you use a web browser that is Java enabled (versions greater than Netscape Navigator 2.0 and Microsoft Internet Explorer 3.0) ,and are concerned about Java security, this book is required reading.

At under 160 pages of text (not counting the appendices), Java Security provides a superb overview of security issues involved with using Java. The authors are security veterans. Felton heads up the Princeton University Safe Internet Programming Team and is famous for discovering quite a few holes in the Java security model.

One might think that two security experts who know the depths and implications of Java security may come out with a reference with suggestions that are overly restrictive and perhaps paranoid. That is not the case here. The recommendations that the book suggests are rational and reasonable. Java Security provides commendable guidelines on how to use Java more safely and what the future holds for Java security features.

The 6 chapters of the book provide an excellent and comprehensive analysis to all aspects of Java security. Chapter 2 provides a significant amount of detail about the Java Security Model, with in-depth coverage of the 3 prongs (as they call it) of the security model, namely: the Byte Code Verifier, the Applet Class Loader and the Security Manager.

Chapter 3 follows with a discussion detailing serious holes in the security model. The authors consider a flaw to be serious when the breach has the potential to corrupt data, reveal private information, or infecting the workstation with a virus. They fittingly note that all of the flaws detailed in the chapter have been fixed by Netscape and Microsoft. The function of the chapter is to show what sort of things can go wrong. Chapter 3 concludes with a summary of 8 significant security problems that were discovered last year in implementations of Java.

The book also goes into great detail on what developers and end-users can do to make Java much more secure. Their six guidelines for Safer Java use are:

1. Know what web sites you are visiting 2. Know your Java environment 3. Use up-to-date browsers with the latest security updates 4. Keep a lookout for security alerts 5. Apply drastic measures if your information is truly critical 6. Access your risks

Fenton has his doctorate in computer science, nonetheless, the book is written in a very clear and coherent manner. Add this to your bookshelf.

1 of 1 people found the following review helpful:

5.0 out of 5 stars An Excellent read for anyone interested in Java security, August 28, 1997

By A Customer

This review is from: Java Security (Paperback)

This book is wonderfully written and full of good information. It would be useful for anyone from novice users to managers to Java Programmers who are concerned about security. In fact, I strongly recommend them buying a copy to read as this is one of the best technical books I've read in a long time. The only audience I wouldn't recommend it for are the people who are doing very advanced Java Security work such as writing their own Security Manager, but they may even learn something from it.