- Paperback: 248 pages
- Publisher: Wiley; 1 edition (January 30, 2004)
- Language: English
- ISBN-10: 0470857447
- ISBN-13: 978-0470857441
- Product Dimensions: 7.5 x 0.4 x 9.3 inches
- Shipping Weight: 1 pounds (View shipping rates and policies)
- Average Customer Review: 5 customer reviews
- Amazon Best Sellers Rank: #2,803,668 in Books (See Top 100 in Books)
Enter your mobile number or email address below and we'll send you a link to download the free Kindle App. Then you can start reading Kindle books on your smartphone, tablet, or computer - no Kindle device required.
To get the free app, enter your mobile phone number.
Innocent Code: A Security Wake-Up Call for Web Programmers 1st Edition
Use the Amazon App to scan ISBNs and compare prices.
??the security book that all web developers need to read?soundadvice?ignore at peril?? (Tech Book Report, January 2004)
"?achieves its aims admirably?" (PC Utilities, April 2004)
??should be required reading for web developers?? (about.com,March 2004)
??if you are a web techie you will love this book, I did??(Infosecurity Today, July 04)
From the Back Cover
This book is much more than a wake-up call. It is also aneye-opener. Even for those who are already awake to the problems ofWeb server security, it is a serious guide for what to do and whatnot to do, with many well-chosen examples. The set of fundamentalrules is highly relevant.
Peter G. Neumann, Author of Computer-Related Risks,andmoderator of the Internet Risks Forum (risks.org).
This concise and practical book will show where codevulnerabilities lie and how best to fix them. Its value is inshowing where code may be exploited to gain access to - or break -systems, but without delving into specific architectures,programming or scripting languages or applications. It providesillustrations with real code.
Innocent Code is an entertaining read showing how to change yourmindset from website construction to websitedestruction so as to avoid writing dangerous code.Abundant examples from susceptible sites will bring the materialalive and help you to guard against:
- SQL Injection, shell command i njection and other attacksbased on mishandling meta-characters
- bad input
- cross-site scripting
- attackers who trick users into performing actions
- leakage of server-side secrets
- hidden enemies such as project deadlines, salesmen, messy codeand tight budgets
All web programmers need to take precautions against producingwebsites vulnerable to malicious attack. This is the book whichtells you how without trying to turn you into a securityspecialist.
Try the Kindle edition and experience these great reading features:
Showing 1-5 of 5 reviews
There was a problem filtering reviews right now. Please try again later.
Like for former book, this one systematically covers exposures and vulnerabilities, and provides remedies at the code level. What sets this book apart is every component of a modern web site, from web server to backend database is covered, problem areas from a developer's perspective are highlighted, and solutions for resolving the problem areas given. I like this book because developers, from casual hobbyists to professionals, will easily grasp the information. More importantly, the material is not insultingly simple to experienced developers, nor is it over the head of less experienced ones.
Another reason I like this book is in systematically uncovering exposures the QA team can also use this book as a sourcebook for developing a baseline set of test cases that will catch security-related problems during acceptance, functional qualification, or regression test cycles.
In my opinion not only should web developers (including DBAs) and QA professionals read this book, but it should also be adopted by development organizations and projects as a part of coding standards.
Take SQL injection. If you do not have your web server filter the user's input in a web page submitted by her browser, and you blithely pass her string to your SQL engine, you are asking for grief. You're begging for a cracker to stuff a SQL command script to sabotage or exacavate your database. Thus too for shell command injection, where your server might inadvertantly execute that as a shell command. Remember to filter user input!
Cross site scripting and Trojans are also explained. Unfortunately, while the Trojan discussion is understandable, it is far too short.
There is no discussion of antiphishing methods. Though in the Trojan chapter, an example fake email would qualify as phishing. Perhaps the author saw no technical solution for phishing. And this book is about technical solutions.
The author manages a tight and very readable book that is addressed at the software developer. It can be read in about a day or afternoon (if you happen to be stranded at an airport lounge). I will be suggesting it to be one of our standard literature titles on the development floor.