book

Web Security, Privacy & Commerce, 2nd Edition

by Simson Garfinkel, Gene Spafford

November 2001

Intermediate to advanced

788 pages

27h 27m

English

O'Reilly Media, Inc.

Read now

Unlock full access

Web Security, Privacy & Commerce, 2nd Edition
Preface
Web Security: Is Our Luck Running Out?Beyond the Point of No ReturnBuilding in Security
About This Book
Organization of This BookWhat You Should KnowWeb Software Covered by This Book
Conventions Used in This Book
Comments and Questions
History and Acknowledgments
Second EditionFirst Edition
I. Web Technology
1. The Web Security Landscape
The Web Security ProblemSecuring the Web ServerSimplification of servicesPolicing copyrightSecuring Information in TransitSecuring the User’s Computer
Risk Analysis and Best Practices
2. The Architecture of the World Wide Web
History and TerminologyBuilding the InternetPackets and postcardsProtocolsHosts, gateways, and firewallsThe client/server modelWeaving the Web

A Packet’s Tour of the Web
Booting Up Your PCPC to LAN to InternetDialing up the InternetConnected by LANThe Walden NetworkThe Domain Name ServiceHow DNS worksEngaging the Web
Who Owns the Internet?
Your Local Internet Service ProviderNetwork Access Points and Metropolitan Area ExchangesPeeringTransitThe Root and Top-Level NameserversWho runs the root?An exampleThe Domain RegistrarsInternet Number RegistriesThe Internet Corporation for Assigned Names and Numbers
3. Cryptography Basics
Understanding CryptographyRoots of CryptographyCryptography as a Dual-Use TechnologyA Cryptographic ExampleCryptographic Algorithms and Functions
Symmetric Key Algorithms
Cryptographic Strength of Symmetric AlgorithmsKey Length with Symmetric Key AlgorithmsCommon Symmetric Key AlgorithmsAttacks on Symmetric Encryption AlgorithmsKey search (brute force) attacksCryptanalysisSystems-based attacks
Public Key Algorithms
Uses of Public Key EncryptionEncrypted messagingDigital signaturesAttacks on Public Key AlgorithmsKey search attacksAnalytic attacksKnown versus published methods
Message Digest Functions
Message Digest Algorithms at WorkUses of Message Digest FunctionsHMACAttacks on Message Digest Functions
4. Cryptography and the Web
Cryptography and Web SecurityRoles for Cryptography
Working Cryptographic Systems and Protocols
Offline Encryption SystemsPGP/OpenPGPS/MIMEOnline Cryptographic Protocols and SystemsSSLPCTSETDNSSECIPsec and IPv6KerberosSSH
What Cryptography Can’t Do
Legal Restrictions on Cryptography
Cryptography and the Patent SystemThe public key patentsOther patented algorithmsThe outlook for patentsCryptography and Trade Secret LawRegulation of Cryptography by International and National LawU.S. regulatory efforts and historyThe Digital Millennium Copyright ActInternational agreements on cryptographyNational regulations of cryptography throughout the world
5. Understanding SSL and TLS
What Is SSL?SSL VersionsSSL/TLS FeaturesWhat Does SSL Really Protect?Digital CertificatesSSL ImplementationsSSL NetscapeSSLRef and Mozilla Network Security ServicesSSLeay and OpenSSLSSL JavaSSL Performance
SSL: The User’s Point of View
Browser PreferencesNavigator preferencesInternet Explorer preferencesBrowser Alerts
6. Digital Identification I: Passwords, Biometrics, and Digital Signatures
Physical IdentificationThe Need for Identification TodayPaper-Based Identification TechniquesVerifying identity with physical documentsReputation of the issuing organizationTamper-proofing the documentComputer-Based Identification TechniquesPassword-based systems: something that you knowPhysical tokens: something that you haveBiometrics: something that you areLocation: someplace where you are
Using Public Keys for Identification
Replay AttacksStopping Replay Attacks with Public Key CryptographyPGP public keysCreating and Storing the Private KeyCreating a public key/private key pair with PGPSmart cards
Real-World Public Key Examples
Document Author Identification Using PGPCERT/CC’s PGP signaturesObtaining CERT/CC’s PGP keyVerifying the PGP-signed filePGP certificationPublic Key Authentication Using SSH
7. Digital Identification II: Digital Certificates, CAs, and PKI
Understanding Digital Certificates with PGPCertifying Your Own KeyCertifying Other People’s Keys: PGP’s “Web of Trust”Trust and validityThe Web of Trust and the key serversKey signing parties
Certification Authorities: Third-Party Registrars
Certification Practices Statement (CPS)The X.509 v3 CertificateExploring the X.509 v3 certificateTypes of CertificatesMinimal disclosure certificatesRevocationCertificate revocation listsReal-time certificate validationShort-lived certificates
Public Key Infrastructure
Certification Authorities: Some HistoryInternet Explorer Preinstalled CertificatesNetscape Navigator Preinstalled CertificatesMultiple Certificates for a Single CAShortcomings of Today’s CAsLack of permanence for Certificate Policies fieldInconsistencies for “Subject” and “Issuer” fieldsUnrealistic expiration dates
Open Policy Issues
Private Keys Are Not PeopleDistinguished Names Are Not PeopleThere Are Too Many Robert SmithsToday’s Digital Certificates Don’t Tell EnoughX.509 v3 Does Not Allow Selective DisclosureDigital Certificates Allow for Easy Data AggregationHow Many CAs Does Society Need?How Do You Loan a Key?Why Do These Questions Matter?Brad Biddle on Digital Signatures and E-SIGNE-SIGN and UETAElectronic contracting—it’s more than just “signatures”!“Signed writing” requirementsProof
II. Privacy and Security for Users
8. The Web’s War on Your Privacy
Understanding PrivacyThe Tort of PrivacyPersonal, Private, and Personally Identifiable Information
User-Provided Information
Log Files
Retention and RotationWeb LogsWhat’s in a web log?The refer link fieldObscuring web logsRADIUS LogsMail LogsDNS Logs
Understanding Cookies
The Cookie ProtocolAn exampleCookie UsesCookie JarsCookie SecurityDisabling Cookies
Web Bugs
Web Bugs on Web PagesWeb Bugs in Email Messages and Word FilesUses of Web Bugs
Conclusion
9. Privacy-Protecting Techniques
Choosing a Good Service Provider
Picking a Great Password
Why Use Passwords?Bad Passwords: Open DoorsSmoking JoesGood Passwords: Locked DoorsWriting Down PasswordsStrategies for Managing Multiple Usernames and PasswordsPassword classesPassword basesPassword rotationPassword keepersSharing PasswordsBe careful when you share your password with others!Change your password when the person no longer needs itResist social engineering attacksBeware of Password Sniffers and StealersPassword sniffersKeystroke recorders and keyboard sniffersBeware of public terminals
Cleaning Up After Yourself
Browser CacheManaging your cache with Internet ExplorerManaging your cache with Netscape NavigatorCookiesCrushing Internet Explorer’s cookiesCrushing Netscape’s cookiesBrowser HistoryClearing Internet Explorer’s browser historyClearing Netscape Navigator’s browser historyPasswords, Form-Filling, and AutoComplete SettingsClearing AutoComplete with Internet ExplorerClearing sensitive information with Netscape Navigator
Avoiding Spam and Junk Email
Protect Your Email AddressUse Address MungingUse an Antispam Service or Software
Identity Theft
Protecting Yourself From Identity Theft
10. Privacy-Protecting Technologies
Blocking Ads and Crushing CookiesLocal HTTP ProxiesUsing Ad Blockers
Anonymous Browsing
Simple Approaches to Protecting Your IP AddressAnonymous Web Browsing Services
Secure Email
Hotmail, Yahoo Mail, and Other Web-Based Email ServicesHushmailOmniva’s Self-Destructing Email
11. Backups and Antitheft
Using Backups to Protect Your DataMake Backups!Why Make Backups?What Should You Back Up?Types of BackupsGuarding Against Media FailureHow Long Should You Keep a Backup?Security for BackupsPhysical security for backupsWrite-protect your backupsData security for backupsLegal IssuesDeciding upon a Backup Strategy
Preventing Theft
Understanding Computer TheftLocksTaggingLaptop Recovery Software and ServicesAwareness
12. Mobile Code I: Plug-Ins, ActiveX,and Visual Basic
When Good Browsers Go BadCard SharkDavid.exeThe Chaos Quicken CheckoutILOVEYOU
Helper Applications and Plug-ins
The History of HelpersGetting the Plug-InEvaluating Plug-In Security
Microsoft’s ActiveX
The <OBJECT> TagAuthenticodeDoes Authenticode Work?Internet ExploderRisky Controls
The Risks of Downloaded Code
Programs That Spend Your MoneyTelephone billing recordsElectronic funds transfersPrograms That Violate Privacy and Steal Confidential InformationA wealth of private dataSigned Code Is Not Safe CodeSigned Code Can Be HijackedReconstructing an AttackRecovering from an Attack
Conclusion
13. Mobile Code II: Java, JavaScript, Flash, and Shockwave
JavaA Little Java DemonstrationJava’s HistoryJava, the LanguageJava SafetyJava SecuritySafety is not securityJava Security PolicyInternet Explorer’s “security zones”Setting Java policy in Microsoft Internet ExplorerSetting Java policy in Netscape NavigatorJava Security Problems
JavaScript
A Touch of JavaScriptJavaScript Security OverviewJavaScript Security FlawsJavaScript Denial-of-Service AttacksCan’t break a running scriptWindow system attacksCPU and stack attacksJavaScript Spoofing AttacksSpoofing username/password pop-ups with JavaSpoofing browser status with JavaScriptMirror worlds
Flash and Shockwave
Conclusion
III. Web Server Security
14. Physical Security for Servers
Planning for the Forgotten ThreatsThe Physical Security PlanThe Disaster Recovery PlanOther Contingencies
Protecting Computer Hardware
The EnvironmentFireSmokeDustEarthquakeExplosionTemperature extremesBugs (biological)Electrical noiseLightningVibrationHumidityWaterEnvironmental monitoringPreventing AccidentsFood and drinkPhysical AccessRaised floors and dropped ceilingsEntrance through air ductsGlass wallsVandalismVentilation holesNetwork cablesNetwork connectorsDefending Against Acts of War and TerrorismPreventing TheftPhysically secure your computerRAM theftEncryptionLaptops and portable computers
Protecting Your Data
EavesdroppingWiretappingEavesdropping over local area networks (Ethernet and twisted pair)Eavesdropping on 802.11 wireless LANsEavesdropping by radio and using TEMPESTFiber optic cableKeyboard monitorsProtecting BackupsVerify your backupsProtect your backupsSanitizing Media Before DisposalSanitizing Printed MediaProtecting Local StoragePrinter buffersPrinter outputX terminalsFunction keysUnattended TerminalsBuilt-in shell autologoutScreensaversKey Switches
Personnel
Story: A Failed Site Inspection
What We FoundFire hazardsPotential for eavesdropping and data theftEasy pickingsPhysical access to critical computersPossibilities for sabotageNothing to Lose?
15. Host Security for Servers
Current Host Security ProblemsA Taxonomy of AttacksFrequency of AttackUnderstanding Your AdversariesScript kiddiesIndustrial spiesIdeologues and national agentsOrganized crimeRogue employees and insurance fraudWhat the Attacker WantsTools of the Attacker’s Trade
Securing the Host Computer
Security Through PolicyKeeping Abreast of Bugs and FlawsChoosing Your VendorInstallation I: Inventory Your SystemInstallation II: Installing the Software and Patches
Minimizing Risk by Minimizing Services
Operating Securely
Keep Abreast of New VulnerabilitiesLoggingSetting up a log serverLogging on UnixLogging on Windows 2000BackupsUsing Security ToolsSnapshot toolsChange-detecting toolsNetwork scanning programsIntrusion detection systemsVirus scannersNetwork recording and logging tools
Secure Remote Access and Content Updating
The Risk of Password SniffingUsing Encryption to Protect Against SniffingSecure Content UpdatingDialup Modems
Firewalls and the Web
Types of FirewallsProtecting LANs with FirewallsProtecting Web Servers with Firewalls
Conclusion
16. Securing Web Applications
A Legacy of Extensibility and RiskPrograms That Should Not Be CGIsUnintended Side EffectsThe problem with the scriptFixing the problem
Rules to Code By
General Principles for Writing Secure Scripts
Securely Using Fields, Hidden Fields, and Cookies
Using Fields SecurelyHidden Fields and Compound URLsUsing CookiesUsing Cryptography to Strengthen Hidden Fields, Compound URLs, and Cookies
Rules for Programming Languages
Rules for PerlRules for CRules for the Unix Shell
Using PHP Securely
Introduction to PHPControlling PHPUnderstanding PHP Security IssuesPHP Installation IssuesPHP VariablesAttacks with global variablesregister_globals = offDatabase Authentication CredentialsURL fopen( )Hide Your ScriptsPHP Safe ModeControlling safe modeSafe mode restrictions
Writing Scripts That Run with Additional Privileges
Connecting to Databases
Protect Account InformationUse Filtering and Quoting to Screen Out Raw SQLProtect the Database Itself
Conclusion
17. Deploying SSL Server Certificates
Planning for Your SSL ServerChoosing a ServerDeciding on the Private Key StoreServer CertificatesThe SSL certificate format
Creating SSL Servers with FreeBSD
HistoryObtaining the ProgramsInstalling Apache and mod_ssl on FreeBSDVerifying the Initial InstallationSigning Your Keys with Your Own Certification AuthorityThe Apache mod_ssl configuration fileInstalling the key and certificate on the web serverInstalling the Nitroba CA certificate into Internet ExplorerInstalling the Nitroba CA certificate into Netscape NavigatorSecuring Other Services
Installing an SSL Certificate on Microsoft IIS
Obtaining a Certificate from a Commercial CA
When Things Go Wrong
Not Yet Valid and Expired CertificatesCertificate RenewalWrong Server Address
18. Securing Your Web Service
Protecting Via RedundancyPrice and Performance Versus RedundancyProviding for Redundancy
Protecting Your DNS
Protecting Your Domain Registration
19. Computer Crime
Your Legal Options After a Break-InFiling a Criminal ComplaintChoosing jurisdictionLocal jurisdictionFederal jurisdictionFederal Computer Crime LawsHazards of Criminal ProsecutionThe Responsibility to Report Crime
Criminal Hazards
Criminal Subject Matter
Access Devices and Copyrighted SoftwarePornography, Indecency, and ObscenityAmateur ActionCommunications Decency ActMandatory blockingChild pornographyDevices that Circumvent Technical Measures that Control Access to Copyrighted WorksCryptographic Programs and Export Controls
IV. Security for Content Providers
20. Controlling Access to Your Web Content
Access Control StrategiesHidden URLsHost-Based RestrictionsUsing firewalls to implement host-based access controlCaveats with host-based access controlIdentity-Based Access Controls
Controlling Access with Apache
Enforcing Access Control Restrictions with the .htaccess FileEnforcing Access Control Restrictions with the Web Server’s Configuration FileCommands Before the <Limit>. . . </Limit> DirectiveCommands Within the <Limit>. . . </Limit> Block<Limit> ExamplesManually Setting Up Web Users and PasswordsAdvanced User ManagementUse a databaseUse RADIUS or LDAPUse PKI and digital certificates
Controlling Access with Microsoft IIS
Installing IISDownloading and Installing the IIS PatchesControlling Access to IIS Web PagesRestricting Access to IIS Directories
21. Client-Side Digital Certificates
Client CertificatesWhy Client Certificates?Support for Client-Side Digital Certificates
A Tour of the VeriSign Digital ID Center
Generating a VeriSign Digital IDFinding a Digital IDRevoking a Digital ID
22. Code Signing and Microsoft’s Authenticode
Why Code Signing?Code Signing in TheoryCode Signing TodayCode Signing and Legal Restrictions on Cryptography
Microsoft’s Authenticode Technology
The “Pledge”Publishing with AuthenticodeThe Authenticode SDKMaking the certificateAdding the certificate to the storeSigning a programCode signing from the command line
Obtaining a Software Publishing Certificate
Other Code Signing Methods
23. Pornography, Filtering Software, and Censorship
Pornography FilteringArchitectures for FilteringProblems with Filtering Software
PICS
What Is PICS?PICS ApplicationsPICS and CensorshipAccess controls become tools for censorshipCensoring the network
RSACi
Conclusion
24. Privacy Policies, Legislation, and P3P
Policies That Protect Privacy and Privacy PoliciesThe Code of Fair Information PracticesOECD GuidelinesOther National and International Regulations“Voluntary Regulation” Privacy PoliciesSeal programsFTC enforcement“Notice, Choice, Access, and Security”
Children’s Online Privacy Protection Act
Prelude to RegulationCOPPA RequirementsWho must follow the COPPA Rule?Basic provisions of COPPAVerifiable parental consentCOPPA exceptionsEnforcement
P3P
P3P and PICSSupport for P3P in Internet Explorer 6.0
Conclusion
25. Digital Payments
Charga-Plates, Diners Club, and Credit CardsA Very Short History of CreditPayment Cards in the United StatesThe Interbank Payment Card TransactionThe charge card check digit algorithmThe charge slipCharge card feesRefunds and Charge-BacksAdditional Authentication MechanismsUsing Credit Cards on the Internet
Internet-Based Payment Systems
Virtual PINEnrollmentPurchasingSecurity and privacyReduxDigiCashEnrollmentPurchasingSecurity and privacyReduxCyberCash/CyberCoinEnrollmentPurchasingSecurity and privacyReduxSETTwo channels: one for the merchant, one for the bankWhy SET failedReduxPayPalSending moneySecurity and financial integrationGator WalletMicrosoft PassportOther Payment SystemsSmart cardsMondex
How to Evaluate a Credit Card Payment System
26. Intellectual Property and Actionable Content
CopyrightCopyright InfringementSoftware Piracy and the SPAWarez
Patents
Trademarks
Obtaining a TrademarkTrademark ViolationsDomain Names and Trademarks
Actionable Content
Libel and DefamationLiability for DamageProtection Through Incorporation
V. Appendixes
A. Lessons from Vineyard.NET
In the Beginning
Planning and Preparation
Lesson: Whenever you are pulling wires, pull more than you need.Lesson: Pull all your wires in a star configuration, from a central point out to each room, rather than daisy-chained from room to room. Wire both your computers and your telephone networks as stars. It makes it much easier to expand or rewire in the future.Lesson: Use centrally located punch-down blocks for computer and telephone networks.Lesson: Don’t go overboard.Lesson: Plan your computer room carefully; you will have to live with its location for a long time.
IP Connectivity
Lesson: Set milestones and stick to them.Lesson: Get your facilities in order.Lesson: Test your facilities before going live.Lesson: Provide for backup facilities before, during, and after your transition.
Commercial Start-Up
Working with the Phone CompanyLesson: Design your systems to fail gracefully.Lesson: Know your phone company. Know its terminology, the right contact people, the phone numbers for internal organizations, and everything else you can find out.Incorporating Vineyard.NETInitial ExpansionLesson: Build sensible business partnerships.Accounting SoftwareLesson: Make sure your programs are table-driven as often as possible.Lesson: Tailor your products for your customers.Lesson: Build systems that are extensible.Lesson: Automate everything you can.Lesson: Don’t reinvent the wheel unless you can build a better wheel.Publicity and PrivacyLesson: Always be friendly to the press.Lesson: Never give out your home phone number.Lesson: It is very difficult to change a phone number. So pick your company’s phone number early and use it consistently.
Ongoing Operations
Security ConcernsLesson: Don’t run programs with a history of security problems.Lesson: Make frequent backups.Lesson: Limit logins to your servers.Lesson: Beware of TCP/IP spoofing.Lesson: Defeat packet sniffing.Lesson: Restrict logins.Lesson: Tighten up your system beyond manufacturer recommendations.Lesson: Remember, the “free” in “free software” refers to “freedom.”Phone Configuration and Billing ProblemsCredit Cards and ACHLesson: If you have the time to write it, custom software always works better than what you can get off the shelf.Lesson: Live credit card numbers are dangerous.Lesson: Encrypt sensitive information and be careful with your decryption keys.Lesson: Log everything, and have lots of reports.Lesson: Explore a variety of payment systems.Lesson: Make it easy for your customers to save you money.Lesson: Have a backup supplier.Monitoring SoftwareLesson: Monitor your system.
Redundancy and Wireless
Linking Primary to BackupBuilding the Backup SiteFailover—and Back!
The Big Cash-Out
Conclusion
B. The SSL/TLS Protocol
History
TLS Record Layer
SSL/TLS Protocols
Handshake ProtocolAlert ProtocolChangeCipherSpec Protocol
SSL 3.0/TLS Handshake
Sequence of Events1. ClientHello2. ServerHello3. Server certificate4. Server key exchange5. Certificate Request6. The server sends a ServerHelloDone (TLS only)7. Client sends certificate8. ClientKeyExchange9. CertificateVerify10. ChangeCipherSpec11. Finished12. Application Data
C. P3P: The Platform for Privacy Preferences Project
How P3P Works
Deploying P3P
Creating a Privacy PolicyGenerating a P3P Policy and Policy Reference FileHelping User Agents Find Your Policy Reference FileCompact Policies
Simple P3P-Enabled Web Site Example
D. The PICS Specification
Rating Services
PICS Labels
Labeled DocumentsRequesting PICS Labels by HTTPRequesting a Label from a Rating Service
E. References
Electronic ReferencesMailing ListsBugtraqCERT-advisoryCIAC-notes and C-NotesFirewallsNTBugTraqNT-securityRISKSUsenet GroupsWeb Pages and FTP RepositoryAttrition.orgCERIASCIACDigiCrimeFIRSTIETFMozillaNIHNIST CSRCPrinceton SIPRadius.Net Cryptography ArchivesRSA Data SecurityOpenSSLSecurityFocusSystem Administration, Networking, and Security (SANS) InstituteWorld Wide Web Consortium (W3C)WWW SecuritySoftware ResourceschrootuidCOPS (Computer Oracle and Password System)KerberosMRTGportmaprsyncSATANSOCKSSSHSwatchtcpwrapperTigerTIS Internet Firewall ToolkitTripwireUDP Packet Relayer
Paper References
Computer Crime and LawComputer-Related RisksComputer Viruses and Programmed ThreatsCryptographyGeneral Computer SecuritySystem Administration, Network Technology, and SecurityNetwork TechnologySecure ProgrammingSecurity and NetworkingUnix System AdministrationWindows System AdministrationSecurity Products and Services InformationMiscellaneous References
Index
About the Authors
Colophon

Content preview from Web Security, Privacy & Commerce, 2nd Edition

Chapter 16. Securing Web Applications

Web servers are fine programs for displaying static information such as brochures, FAQs, and product catalogs. But applications that are customized for the user or that implement business logic (such as shopping carts) require that servers be extended with specialized code that executes each time the web page is fetched. This code most often takes the form of scripts or programs that are run when a particular URL is accessed. There is no limit to what a good programming team can do with a web server, a programming language, and enough time. Unfortunately, programs that provide additional functionality over the Web can have flaws that allow attackers to compromise the system on which the web server is running. These flaws are rarely evident when the program is run as intended.

This chapter focuses on programming techniques that you can use to make web programs more secure.

A Legacy of Extensibility and Risk

There are four primary techniques that web developers can use to create web-based applications:

CGI

The Common Gateway Interface (CGI) was the first means of extending web servers. When a URL referencing a CGI program is requested from the web server, the web server runs the CGI program in a separate process, captures the program’s output, and sends the results to the requesting web browser. Parameters to the CGI programs are encoded as environment variables and also provided to the program on standard input.

CGI programs can perform database ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Publisher Resources

ISBN: 0596000456Errata

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

Web Security, Privacy & Commerce, 2nd Edition

by Simson Garfinkel, Gene Spafford

Chapter 16. Securing Web Applications

A Legacy of Extensibility and Risk

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

More than 5,000 organizations count on O’Reilly

Julian F.

Addison B.

Amir M.

Mark W.

You might also like

Web Security and Commerce

Design and Analysis of Security Protocol for Communication

DNS on Windows Server 2003, 3rd Edition

Identification and Management of Distributed Data

Publisher Resources