The Tangled Web: A Guide to Securing Modern Web Applications

Reviewed by Elhadji Sarr

01 April 2013

Print Issue: April 2013

The Tangled Web: A Guide to Securing Modern Web Applications. By Michal Zalewski. No Starch Press, nostarchpress.com; 320 pages; $49.95.

The Internet evolved from elementary to beyond imagination in just a few decades. As if it were a gold rush, stakeholders responded to this boom by engaging in a race the author refers to as “the browser war.” The explosion of innovative Web features brought vulnerabilities that have yet to be solved.

The Tangled Web describes the Internet’s lack of a solid, unified system that could be policed by a single body. Major Web browsers—such as Internet Explorer, Mozilla Firefox, Safari, and Google Chrome—have their own sets of principles and security weaknesses. The author proposes practical theories and tools for readers to borrow for their respective domains. He offers both current and prospective concepts and analyses that will assist security professionals in implementing solid defenses to security breaches.

The book reflects the author’s extensive expertise. It covers topics from the basic structure of a URL to advanced concepts of HTTP, as well as the same-origin policy (SOP) for document object models, XMLHttpRequests, Web storage, and security policies for cookies, plug-ins, and more. Readers will enjoy the “Security Engineering Cheat Sheet” at the end of each chapter for quick reference.

While this oeuvre is well written, some material is highly complex and technical. Even so, it is suitable for the average reader as well as the IT professional. It does a fine job of dissecting the anatomy of the Web and offering an extensive look at browser security features and what to look for in the future. The issues covered are truly current and faced by all security professionals.

Reviewer: Elhadji Sarr, CPP, is president and CEO of Metropol Security Services LLC. He manages the security departments of both St. Luke’s The Woodlands Hospital and St. Luke’s Lakeside Hospital. Throughout his career, he has overseen the security programs.