There's a simple rule that the more complex a system is the harder it is to secure. Once upon a time, the web was a simple system…
Today, anyone trying to advise a web site owner on security has to balance elements within the site owner's control — fonts, domain names, sources of content, validation of user input, for example — against extrinsic elements the site owner can't touch. The latter include user operating systems and software, the security of remote sites supplying content and homologue internationalised domain names. Plus, there are all those tricky details of interactions between tags, and everywhere — in all software — bugs.
As Michal Zalewski writes in the introduction to his book on web site security, The Tangled Web, only 15 years ago none of this was a problem on the web, which was made up of pages of static text owned by people for largely non-commercial reasons. The average contemporary web user's experience is of layered, complex applications based on an infrastructure that was not originally designed for them. As Zalewski writes, the corners cut in the original development of the web didn't matter when all that was being hosted was a page of dancing hamsters. Now, sites handling millions of credit card transactions are paying the price.
The deeper problem, however, is that once a system gets complex enough there's no way to define what it means for it to be secure — that is, for it to function as intended. There are too many competing interests involved, from large corporations to academic research departments to individual users to hacktivists. The general response in the industry has been to move toward risk management, an approach Zalewski argues is too limited. Instead, he favours practical approaches such as learning from past mistakes, developing good detection and remediation tools, and planning for the worst-case scenario.
The rest of The Tangled Web puts this approach into practice. The book is divided into three main parts: the anatomy of the web, which examines everything from URLs to browser plug-ins; browser security features; and future trends. Each is subdivided into many more sections that examine elements such as URLs, plug-ins, protocols, scripts and vulnerabilities in detail. Each chapter has a 'security engineering cheat sheet' that summarises the main points to check when using the technologies just explored.
This structure allows Zalewski a lot of latitude to explore the landscape in a thorough and systematic manner. The result is a book that's readable enough for someone seeking to understand the web's problems and practical enough for someone in the midst of designing a site to use in anger.
Most security books either focus on underlying theory — like many of Bruce Schneier's books, including his recent Liars and Outliers — or on a single application or service, covered in detail. What's interesting about The Tangled Web is that it does some of both. Unlike a lot of people, Zalewski, a Google information security engineer who describes himself in his LinkedIn profile as 'resident security troll', knows his internet history, and he uses the right amount of it to put today's problems in context and explain their genesis.
The Tangled Web: A Guide to Securing Modern Web Applications
By Michael Zalewski
No Starch Press