InfoSec Reviews – Web Commerce Security

Book Title: Web Commerce Security

Subtitle: Design and Development

Authors: Hadi Nahari, Ronald L. Krutz

Publisher: Wiley

Date of Publishing: 2011

ISBN(13): 9780470624463

Price (UK&US price – full price, not discounted price): $60.00 US / $72.00 CAN / £42.50

Ebook Price: UK Amazon Kindle £27.10

URL of Publisher Site: Wiley

URL of Amazon UK web page: Web Commerce Security: Design and Development

URL of Amazon US web page: Amazon.com

The subtitle of Web Commerce Security is “Design and Development”, and the back-cover promises to system designers that, “You will learn… to design strong e-commerce and m-commerce security that users will actually use”. This sets the exciting prospect of a book, co-written by one of the architects of PayPal, for the practitioner at the system design or code-face ‘sharp end’ of e-commerce solutions (something which I have spent much of my own career doing).Its 474 pages open with an introduction to e-commerce… and it certainly is introductory, including a dictionary definition of ‘commerce’ and a history of credit cards.  Further on, the structure becomes increasingly confusing. There are a couple of pages on client/server and grid, then cloud and cloud security (what happened to non-cloud security?). From being overly basic, the pace suddenly goes the other way – RBAC is covered in just three lines of text, which refer off to the NIST standard. The security novice, to whom most of the book seems targeted, will rapidly get lost or end up wondering if they have inadvertently skipped some pages. Light relief comes when the next chapter starts by explaining there are lots of mobile phones now and more people are using them for commerce. The author then offers up a quick view of the main mobile platforms, but no security discussion! A chapter defining various “ilities” follows. The usual ones are there (confidentiality, availability, etc.), and “monitorability ” which superficially broaches IDS and penetration testing, but it is all rather superficial. At last, 109 pages in, Part II begins – E-Commerce Security (this is the topic of the book, after all). The first chapter in this section, “E-Commerce Basics”, provides yet more high-level definitions. Chapter 5 (“Building Blocks: Your Tools”) contains the same introduction to (and history of) cryptography that appears in so many other textbooks, including the obligatory section on the Caesar cipher. It is background for the beginner, but precious little in terms of practical help for securing e-commerce until it gets to digital signatures; X509 etc. Then, instead of a detailed discussion of this relevant topic, it’s off again with an overview of DP, access control, system hardening… ending with 16 pages on network security that includes two lines on almost every protocol you can name, finishing with a summary of several malware attacks. With half the book gone, Chapter 6, “What You Should Implement” seemed like the place that would at last give the practical detail I thought I had been promised on the back cover. Again, disappointment! There’s a fair overview of authentication, but then more theory, yet again: information classification, principle of least privilege, policy categories, etc.  Fine, but these are topics dealt with much better in other books.Chapters 7 and 8 cover tools for analysing website vulnerabilities and common attacks. These are by far the best and most practical parts of the book. This section contains is an overview of various downloadable analysis, scanning and penetration testing tools, such as Teleport Pro, BlackWidow, Nessus and Snort. A great introduction to the basics of hacking for those learning web-application security but again all at a very superficial level, leaving it up to the reader to go and find out more about how to use them successfully. Also, these are tools that tend to be used only once a site has been built, not during the design and development. The common threats are given in reasonable detail, however I would want most of the book to be about practical steps to diminish these rather than just a few bullet points on each. A key omission for me was that of the static code testing tool (a main tool in the armoury of modern web development) and how it should be integrated into the SDLC to identify and correct vulnerabilities in source code. On the other hand, the section on Wi-Fi reconnaissance seems a bit at out of place given the target audience e-commerce application builders; like other aspects of this book it seems more for those who are generally interested in security.Finally, Chapter 9, covering Certification & Assurance, bombards the reader with ISO this and ISO that but not what it means in practice to e-commerce development. A discussion on RAID and ISCSI is fine, but is surely more on the periphery of what a web commerce developer or designer needs to worry about in most organisations. Then, to my dismay, the real gem for them in this section, OWASP, is glossed over in the same vein. The final third of the book is the appendices. Appendix A, ‘Computer Fundamentals’, should have been omitted to save trees.  It’s reasonable to expect someone into web security design and development knows enough about how a computer works.  Drawings of a transistor and pictures of CPUs really aren’t in themselves going to help anyone build safer web applications. The glossary is way overdone: “HTTP”, “information technology” … and I know one of the authors works for PayPal, but I am still surprised to see eBay and PayPal in the glossary!

Overall, there is precious little about development (at the code-level) and barely more on design (at least not the level of design that gets turned into code): no UML design patterns or real-world examples. In fact, it feels that a lot of the content is more akin to Krutz’s CISSP guides.  For the student of security, or the developer who is looking to step into a web-application design role and hasn’t come across security theory so far, this book at best does an OK job. Even then, many aspects are dealt with in other books with better structure and more depth. A bit like a program stack (which ironically Appendix A does not actually cover), the book provides various pointers to where to go next, but not the actual content.

Web Commerce Security fails to deliver the practicalities promised on the cover. Limited practical assistance is hidden within this book that feels more than twice as thick as it needs to be. The balance of basic security theory lacks sufficient structure and depth to be ideal for the security beginner. This is more a guided bibliography than practical solutions for e-commerce.

Marks: 2 out of 5

**