Review By: Harmon Avera, Jr.
09/08/2008

Web application users constantly hear warnings and read advice about safe Web surfing practices and avoiding email worms, viruses and phishing attacks. (My bank even has a program to use text messaging to enable one-time keys for secure login.) Foundations of Security: What Every Programmer Needs to Know by Daswani, Kern, and Kesavan offers a basic developer’s guide to Web application design principles and programming techniques that address the concerns about safety and enable us to make Web applications we would be comfortable using ourselves.

This is not a long book, only about 250 pages of text with an additional forty pages of appendices, source code, references, and index. The three major sections of the book cover security design principles, secure programming techniques, and an introduction to cryptography. It provides only a high level guide to security goals and best practices, but the copious references are fairly current and give plenty of potential avenues for further investigation. The smallish font made for densely packed pages, but I found the writing style easy to follow.

The first section discussed the goals of a secure Web application; the design of secure systems (including the economic trade-offs and "good enough" security); and covered the standard security principles of least privilege, defense-in-depth, and system simplicity. My only complaint is that this last section could use some editorial polish. It was a little repetitious in places and didn't flow as well as the following two sections. The third section is truly only an introduction to cryptography, reviewing the basics of symmetric and asymmetric key cryptography, key exchange protocols, message authentication codes, and hash signatures. I found Bruce Schneier's Applied Cryptography much more in-depth, although the 2nd edition is now twelve years old and starting to show its age.

The meat of the book is in Part 2 Secure Programming Techniques. Over one-third of this section is devoted to cross-domain security in Web applications. The authors did a thorough job of explaining the nuts-and-bolts of cross-site attack patterns like request forgery, script inclusion, and scripting. They then explained how to structure Web applications to prevent each attack pattern. It was worth it to me to read this section a couple of times to appreciate the subtlety of both the attacks and the prevention techniques.

For most of us, Internet Web applications have become as important and ubiquitous as safe drinking water. We depend on secure Web applications for banking, investing, social networking, and private communications. User concerns about the safety and security of these applications are requiring developers to become knowledgeable of both security threats and their defenses. Foundations of Security: What Every Programmer Needs to Know is a good introduction to this topic and has earned a place on my bookshelf within easy reach of my keyboard.