Book Review–The Tangled Web
Disclosure: I received a review copy of this title from O’Reilly
Oh, Cheryl, what a tangled web we weave when we something-something on Christmas Eve - According to Jim
For obvious reasons the above quote came into my head every time I picked up The Tangled Web by Michal Zalewski. It always makes me smile…
In The Tangled Web Mr. Zalewski paints a grim picture of web security, explaining in some detail the confluence of conflicting standards, incomplete RFCs, inconsistent browser behaviors and other anomolies that lead to today's current (spoiler alert: not good) state of web security.
This title is different than any other I've read on web security. It isn't a web security handbook by any means - it is more a descriptive history of the evolution of web standards and languages, focusing on decisions made that impact web security to this day. The author delves into every aspect of the web - HTML, HTTP, CSS, scripting languages, browers, plugins, etc. in astounding detail. Moving between topics he is consistently able to combine low-level technical details with a deal of historical context that is in itself remarkable. It is interesting to read explanations of how vulnerabilities came to be, whether caused by ignorance, good intentions, loyalty to a specific browser, etc. This more "human" information provides a respite from more technical content while being both insightful and entertaining.
While the content is highly descriptive Mr. Zalewski does a great job of providing security cheat sheets at the end of each chapter. These bite-sized nuggets of actionable content are invaluable and add an extra dimension to the title - I know I will come back to these time and again as I develop for the web.
Summary (a.k.a tl;dr;)
This book is definitely a worthwhile read, but it is not an easy read. It weighs in at about 300 pages but is packed with information and it took me quite some time to get through it. It is quite technical and I found myself re-reading sections to make sure I really understood what the author was saying. I'm somewhat conflicted: I wouldn't necessarily recommend this title to a novice web programmer but I wouldn't recommend deploying a website without reading it...
At the end of the day Mr. Zalewski takes what is realistically a dull and dry topic and makes it read like prose. I strongly suggest this title to anyone working in the web development world.Everyone will get something out of it and if you are the kind of person passionate about knowing how everything works behind the scenes you'll absolutely love it!