Book Review–The Tangled Web

Disclosure: I received a review copy of this title from O’Reilly

The Tangled Web

 

Oh, Cheryl, what a tangled web we weave when we something-something on Christmas Eve - According to Jim

For obvious reasons the above quote came into my head every time I picked up The Tangled Web by Michal Zalewski. It always makes me smile…

In The Tangled Web Mr. Zalewski paints a grim picture of web security, explaining in some detail the confluence of conflicting standards, incomplete RFCs, inconsistent browser behaviors and other anomolies that lead to today's current (spoiler alert: not good) state of web security.

This title is different than any other I've read on web security. It isn't a web security handbook by any means - it is more a descriptive history of the evolution of web standards and languages, focusing on decisions made that impact web security to this day. The author delves into every aspect of the web - HTML, HTTP, CSS, scripting languages, browers, plugins, etc. in astounding detail. Moving between topics he is consistently able to combine low-level technical details with a deal of historical context that is in itself remarkable. It is interesting to read explanations of how vulnerabilities came to be, whether caused by ignorance, good intentions, loyalty to a specific browser, etc. This more "human" information provides a respite from more technical content while being both insightful and entertaining.

While the content is highly descriptive Mr. Zalewski does a great job of providing security cheat sheets at the end of each chapter. These bite-sized nuggets of actionable content are invaluable and add an extra dimension to the title - I know I will come back to these time and again as I develop for the web.

Summary (a.k.a tl;dr;)

This book is definitely a worthwhile read, but it is not an easy read. It weighs in at about 300 pages but is packed with information and it took me quite some time to get through it. It is quite technical and I found myself re-reading sections to make sure I really understood what the author was saying. I'm somewhat conflicted: I wouldn't necessarily recommend this title to a novice web programmer but I wouldn't recommend deploying a website without reading it...

At the end of the day Mr. Zalewski takes what is realistically a dull and dry topic and makes it read like prose. I strongly suggest this title to anyone working in the web development world.Everyone will get something out of it and if you are the kind of person passionate about knowing how everything works behind the scenes you'll absolutely love it!

Comments

Post a Comment

Popular posts from this blog

Mirth

Image
Introduction Let's talk about Mirth. At it's simplest, Mirth  link is an Open Source HL7 interface engine. HL7 (Health Level 7) is an NPO involved in the development of healthcare standards and the HL7 v2.x and HL7 v3 standards are commonly used in Medical Information for data interchange - including but not limited to clinical, financial, logistical and administrative messaging. I first ran across Mirth over a year ago on a personal quest to find an alternative to our client's legacy HL7 application. Academically, I wrote a number of lexical analysis tools using lexx, yacc, bison and JavaCC and knew the challenges of writing and maintaining complex parsers. I was simply looking for something that could parse HL7 for us, and perhaps log messages and provide a little more transparency than our application currently allowed.  A year later and our legacy application is still going strong (read: my proposal was declined), but Mirth is being used in production, far away from th
Read more

Excel - Adding an existing Pivot table to the data model

Image
  I've been working more with, and continue to be amazed by, Power Pivot. I recently ran into an issue where I needed to add the data for an existing Power Pivot report to the Data Model. There is a checkbox that makes this easy when creating a PivotTable: As so often happens, the analysis grew in scope/importance and I found myself needing to add the data to the data model. While it's not obvious how, there is a way to add an existing Pivot table to the data model. There's a More Tables... link in the PivotTable Fields pane.  Clicking on the  More Tables... results in a dialog confirming that you want to Create a New PivotTable .  Doing so will result in the creation of the new PivotTable in a new sheet. By default the data is added to the data model. You'll likely lose some formatting but for anything other than a trivial PivotTable, this should save effort, as it did for me.
Read more

Getting Started with Mirth (Part 1)

Image
This is the first post in a 2 part series. The second post is here Recently I posted about my positive experience when using Mirth by Webreach as an open source communication layer between one of our in-house applications and a third party and proprietary web service interface. That post received a large amount of attention (relative to my other posts :o) ) so now I will post a quickstart guide to creating a similar setup. In this post I will go over the very basics of using Mirth (please dig in and play around with some more advanced options/configurations), specifically I will demonstrate how to use Mirth to read data from a database, package the data up in a SOAP envelope, send the data to a web service and process the SOAP response. I'll also show you how easy it is to monitor channels once deployed. Once you've installed and opened Mirth for the first time you'll be presented with an empty dashboard - but it wont stay empty for long. This is where you'll s
Read more