Bob Bruen's review of "Web Security. A Step-by_step Reference Guide" by Lincoln Stein. IEEE Cipher, 1998" <title> </head> <h2>Web Security. A Step-by-step Reference Guide <b>reviewed by Bob Bruen</b></h2> <p> Web Security. A Step-by-Step Reference Guide. By Lincoln Stein. Addison Wesley Longman, Inc. 1998. 436 pages. Bibliography and index. 29.95 ISBN 0-201-63489-9 LoC TK5105.59.S74 <p> The author of "How to Set Up and Maintain a Web Site" has produced a wonderful companion to it with this new book. A very readable and practical work, it gives clear instructions to the reader on how, and why, to make a web site as secure as possible (although we all know that is a moving target). If you have not given much thought to securing your web site, this is a good place to start. If you have given it some thought, this book will serve as a checklist and will probably show you one or two items you may have missed. The World Wide Web Security FAQ, authored and maintained by Stein, was the basis for this guide, but it is goes well beyond the FAQ. <p> The book is organized into three main parts, (1) Document Confidentiality, (2) Client-Side Security and (3) Server-Side Security. Chapter one is a short introduction to web security. Chapter two, the usual introduction to cryptography, and chapter three, a good introduction to SSL (secure socket layer), SET (secure electronic transactions) and other digital payment systems make up Part 1. Part 2 contains chapters four, more on SSL, chapter 5, ActiveX, and chapter 6, web privacy. The ActiceX section is particularly worth reading if you are using it at your site. The design problems unique ActiveX are brought out so that anyone can understand them. This only uses up about 150 pages of the book, the bulk of the book is in Part 3. All of the chapters have resource lists (on-line and in print), as well as a handy checklist of the things you should have learned while reading the chapter. <p> Part 3 is composed of chapter seven through fourteen. The expected chapters on servers and security are present, but he has gone a step further to include Windows NT web servers, with all of the associated idiosyncrasies. He devotes a chapter to access controls and another to certificate based access controls, one of a number of places that SSL appears in the book. Stein takes the reader through the process of using certificates and even becoming your own certifying authority. <p> One of the best chapter is twelve, where CGI scripting is presented. No web site worth its salt can ignore this topic. He gives lots of excellent examples of code and improved approaches to common mistakes that leave the door open for the bad guys to come through. I especially like his explanations that really show the reader why something is a problem, not just a statement that it is a problem. He has achieved his goal making this book a practical tool that is actually useful. He seems to prefer Perl for his scripting language, providing a perl script to torture test your web server for some basic problems. He emphasizes logging of events and reading logs, one of those important but disliked, system administrator tasks. <p> The last two chapters cover higher level security management of a web site that can be easily overlooked. If you have more than a couple of people writing web pages for your site you run into problems of providing different levels of access, both on site and off site. There is a chapter on remote authoring and administration and the last chapter deals with firewalls and web sites, completing the package. He gives good advice on the appropriate approaches to handling web authors. <p> While no book covers everything, and certainly not in enough detail, this one does a fine job of covering base line security for your web site. I put this one right next to his "How to Set Up and Maintain a Web Site" on my book shelf, with a space for his next book. Stein is making valuable contributions to solutions for web security making him worth reading.