Securing Java: Getting Down to Business with Mobile Code, 2nd Edition [Paperback]

Gary McGraw (Author), Edward W. Felten (Author)

Book Description

ISBN-10: 047131952X | ISBN-13: 978-0471319528 | Publication Date: January 25, 1999 | Edition: 2

Information Security/Java "This book is mandatory reading for every user and developer of Webware." -Peter G. Neumann, Moderator of the Risks Forum, from his review of the first edition Securing Java Java security is more important now than ever before. As Java matures and moves into the enterprise, security takes a more prominent role. But as Java evolves, its security issues and architectures get more complicated. Written by the world's leading experts on mobile code security, this updated and expanded edition of the groundbreaking guide to Java security includes lessons for Web users, developers, system administrators, and business decision-makers alike. This book navigates the uncharted waters of mobile code security and arms the reader with the knowledge required for securing Java. It provides in-depth coverage of:
* The base Java security sandbox, made up of the Verifier, Class Loaders, and the Security Manager
* Code signing, stack inspection, and the new Java 2 security architecture
* The pros and cons of language-based enforcement models and trust models
* All known Java security holes and the attack applets that exploit them
* Techniques commonly used in malicious applets
* Twelve rules for developing more secure Java code, with explicit examples
* Hard questions to ask third-party Java security tools vendors
* Analysis of competing systems for mobile code, including ActiveX and JavaScript
* Card Java security, smart card risks, and their impact on e-commerce security
On the companion Web site www.securingjava.com you'll find:
* The Java Security Hotlist: Over 100 categorized and annotated Java security-related Web links
* An e-mail list to keep subscribers abreast of breaking Java security news
* A complete electronic edition of this book

Editorial Reviews

Amazon.com Review

The Java environment is relatively secure, as far as network programming languages go. Java has strong security, but not perfect security. Securing Java explains the known security problems with the language and points out steps that programmers can take to prevent bad guys from taking advantage of their Java-based systems.

Authors Gary McGraw and Edward W. Felten begin with the sandbox--the original Java security model. They then explain why the sandbox, while secure, was too restrictive and was combined with a code-signing model in Java 2.

After explaining how security ought to work, Securing Java reveals a menagerie of applets that have circumvented Java security to achieve a variety of noisome and damaging ends. The authors reveal enough information about these applets to show where the dangers are, and they offer security tips for programmers and network administrators.

McGraw and Felten include a brief but well-informed chapter about the security issues raised by the Java Card environment and smart cards generally. A couple of question-and-answer sections toward the end of Securing Java also deserve special recognition. One, on Java security as a whole, provides succinct and accurate answers to questions about how secure Java is and what you can do to minimize your Java security risk. The other Q&A section compares--fairly and with plenty of information--the security features of Java and ActiveX. --David Wall

From the Back Cover

Information Security/Java "This book is mandatory reading for every user and developer of Webware." -Peter G. Neumann, Moderator of the Risks Forum, from his review of the first edition Securing Java Java security is more important now than ever before. As Java matures and moves into the enterprise, security takes a more prominent role. But as Java evolves, its security issues and architectures get more complicated. Written by the world's leading experts on mobile code security, this updated and expanded edition of the groundbreaking guide to Java security includes lessons for Web users, developers, system administrators, and business decision-makers alike. This book navigates the uncharted waters of mobile code security and arms the reader with the knowledge required for securing Java. It provides in-depth coverage of:
* The base Java security sandbox, made up of the Verifier, Class Loaders, and the Security Manager
* Code signing, stack inspection, and the new Java 2 security architecture
* The pros and cons of language-based enforcement models and trust models
* All known Java security holes and the attack applets that exploit them
* Techniques commonly used in malicious applets
* Twelve rules for developing more secure Java code, with explicit examples
* Hard questions to ask third-party Java security tools vendors
* Analysis of competing systems for mobile code, including ActiveX and JavaScript
* Card Java security, smart card risks, and their impact on e-commerce security
On the companion Web site www.securingjava.com you'll find:
* The Java Security Hotlist: Over 100 categorized and annotated Java security-related Web links
* An e-mail list to keep subscribers abreast of breaking Java security news
* A complete electronic edition of this book

See all Editorial Reviews

Product Details

• Paperback: 324 pages
• Publisher: Wiley; 2 edition (January 25, 1999)
• Language: English
• ISBN-10: 047131952X
• ISBN-13: 978-0471319528
• Product Dimensions: 9.2 x 7.4 x 0.8 inches
• Shipping Weight: 1.2 pounds
• Average Customer Review: 4.3 out of 5 stars  See all reviews (6 customer reviews)
• Amazon Best Sellers Rank: #2,352,174 in Books (See Top 100 in Books)

More About the Author

Gary McGraw is the CTO of Cigital, Inc., a software security and quality consulting firm with headquarters in the Washington, D.C. area. He is a globally recognized authority on software security and the author of eight best selling books on this topic. His titles include Java Security, Building Secure Software, Exploiting Software, Software Security, and Exploiting Online Games; and he is editor of the Addison-Wesley Software Security series. Dr. McGraw has also written over 100 peer-reviewed scientific publications, authors a monthly security column for informIT, and is frequently quoted in the press. Besides serving as a strategic counselor for top business and IT executives, Gary is on the Advisory Boards of Fortify Software and Raven White. His dual PhD is in Cognitive Science and Computer Science from Indiana University where he serves on the Dean's Advisory Council for the School of Informatics. Gary served on the IEEE Computer Society Board of Governors, produces the monthly Silver Bullet Security Podcast for IEEE Security & Privacy magazine (syndicated by informIT), and produces the Reality Check Security Podcast for CSO Online.

company www.cigital.com
podcast www.cigital.com/silverbullet
podcast www.cigital.com/realitycheck
blog www.cigital.com/justiceleague
book www.swsec.com
personal www.cigital.com/~gem

music http://www.amazon.com/dp/B003JPNV1I/?tag=lastfmmp3-20

Customer Reviews

Most Helpful Customer Reviews

7 of 7 people found the following review helpful:

5.0 out of 5 stars Excellent conceptual overview, April 29, 1999

By A Customer

This review is from: Securing Java: Getting Down to Business with Mobile Code, 2nd Edition (Paperback)

IMHO, this book is an excellent conceptual overview which also goes into some practcial areas, such as signing applet with JDK1.1 and 1.2, IE & Netscape, SignTool, javakey, keytool, JARs and CABs, etc. Has pointers to many relevant resources on the net.

But doesn't go into very details (only 315 pp.) and doesn't have any source code.

1 of 1 people found the following review helpful:

4.0 out of 5 stars good information base for beginners/intermediates, November 17, 2003

By 

Sudipto K. Haldar "Sudipto" (Robbinsville, NJ USA) - See all my reviews
(REAL NAME)   

This review is from: Securing Java: Getting Down to Business with Mobile Code, 2nd Edition (Paperback)

This book is very informative, describes Java security model and its evolution in detail, in fact, in too much a detail to suit the advanced developers.

It does not cover in detail how to write your own ClassLoader/SecurityManager and other security related components, so I would not recommend it to somebody wanting to rewrite the whole security model for an enterprise grade application, but this book surely covers a wide range of security basics which I find would be useful for anyone interested in security, not only for java developers.

This books gives a detailed listing of kinds of security threats Java has faced since its inception and how they were plugged and while doing that it gives a good perspective how a system can be compromised or prevented from being so.

1 of 1 people found the following review helpful:

5.0 out of 5 stars Excellent book on Java Security, February 23, 1999

By A Customer

This review is from: Securing Java: Getting Down to Business with Mobile Code, 2nd Edition (Paperback)

It covers all aspects of Java security from known bugs to the sandbox to the Java Card API and everything in between. The authors are well known security analysts and give you the straight dope on Java security (good and bad).

The book is incredibly well researched and extremely accurate. On top of that the writing is excellent and won't put you to sleep as many security tomes will.

This book is useful for anyone from novice users to managers to Java Programmers who are concerned about security. Anyone who is involved with or concerned about Java security should buy this book as it will provide them with the information that they need.