Try to learn something about everything

Review: The Tangled Web

Disclaimer 1: The good folks of No Starch Press were kind enough to provide me with a review copy of this book, but this did not influence the following text.

Disclaimer 2: Links to books are Amazon affiliate links.

I’ve been interested in IT security for a long time, but obviously even more so since I started working professionally in this area. Since web applications have become ubiquitous in recent years, they constitute a big part of our penetration testing work. This is a very broad topic, so The Tangled Web: A Guide to Securing Modern Web Applications by Michal Zalewski is an ambitious project.

The first thing I noticed was that the book is comparatively thin. At around 300 pages it’s only about one third of The Web Application Hacker’s Handbook: Finding and Exploiting Security Flaws. Don’t let that fool you though, this book is not a lightweight by any means. It’s logically structured in three parts, the first of which explores the various components that constitute the web as we know it today (URLs, HTTP, HTML, CSS etc.) and their security implications. This is followed by a look at the security features — and their shortcomings — of current browsers. After this part 3 deals with current developments and the future of browser and web application security. This is rounded off by a list of common security problems including references to the chapters of the book that cover them, as well as an epilogue with a surprisingly philosophical outlook on IT security and trust in human societies.

The writing was clear and to the point, with tons of footnotes and references to provide the interested reader with the chance to further research the presented topics. The author clearly knows what he’s talking about and manages to present it in a very approachable way. Due to it’s limited size the book still has to be a bit dense though, so I never really felt like reading more than one chapter at a time, otherwise it’d have been to much information to take in at once.

Whether you work in IT security or are a web application developer, this definitely is a book you don’t want to miss.