Candle Web Host

More of a programmer’s guide than a security guide, Hacking the Code explains how certain code can be attacked, shows how you should edit the code, and offers case studies and examples for doing so. The book establishes policies for object input, and shows how to audit existing code for potential security problems.

People constantly ask security expert Mark Burnett for a guide to writing secure code. They don’t want a course on security, they want to fix their code. This book is a practical guide on how to maintain session state, how to properly handle cookies, how to get user input, and more. Instead of just telling you how to do it, Burnett shows actual code that can be dropped right into your applications. This book covers almost all security issues known. Burnett has put hundreds of hours of research into his code audit database and is now making that available to you.
Customer Review: Definitely a worthy book for developers and security pros alike
Hacking the Code is a must read if you want to pick apart .NET Web applications in the name of better security. More people in development and IT need to read books like this. I like how it focuses on ASP.NET – the language that a large portion of Web applications are developed in today. The book covers the important areas of securing applications and shows some good examples. Appendix A also has some good ASP.NET code samples for real-world concerns.

OPEC, Amazon, Yahoo! and E-bay, if these large, well-established and security-conscious web sites have problems, how can anyone be safe? How can any programmer expect to develop web applications that are secure? “Hack Proofing Your Web Applications” is specifically written for application developers and webmasters who write programs that are used on web sites. It covers Java applications, XML, ColdFusion, and other database applications. This focuses not on catching the hackers once they’ve entered the site, but aims to show programmers how to design tight code to deter hackers from the word go.
Customer Review: Fragmented and a bit self-important, but still useful
This book aims to be a “one stop shop” covering all aspects of web application security, however your app is written: Java. CGI, Perl, PHP, Active X. To a large extent it succeeds, and in a surprisingly readable way. Each chapter covers on aspect of hacking or security, and ends with a summary, a “fast track” checklist, and a FAQ for the topics covered. The book is sold like software – you can register for a “1-year upgrade”, to keep the content fresh.

Important topics include both detailed and general hints on how to read and spot security holes in code in different languages; and how to “think like a hacker”, and use hacker tools to test your own security. Above all, the book emphasizes the need for creative thinking and to avoid producing code carelessly.

I know from experience that security is often ignored if it’s seen as too hard to understand, plan or test. Don’t be a victim of your own ignorance, read this book.
Customer Review: Hack Proofing Your Web Applications
I’m working on a presentation on Web Application Security, and I
picked up this text as a reference. What a mistake! The text is
vague, poorly formatted and rife with errors.

Just one example:
p. 131 shows a sample CGI script for submitting comments to
FreeBSD.org. First of all, the screenshot references a page that
doesn’t exist, tarnishing FreeBSD for no good reason. Secondly, the
Perl CGI script doesn’t set PATH, doesn’t use taint, and doesn’t check
exit values. Third, the form uses a hidden field for the submit
address — making it a juicy spam tool since the user could simply
replace “mcross@freebsd.org” with any address she chooses. And I
could go on and on with just that one script.

Other
gripes:
p. 465, “SSL makes the man-in-the-middle attack fail”.
Wrong. …

How about this: The authors refer to Perl as the
“Practical Extraction and Reporting Language.” (p. 151, p. 223) Are
they trying to impress newbies?

SSL & PKI: only 20 pages of 565
are devoted to SSL & PKI, and those are mostly screen shots of Windows
MMC.

I’m not picking nits here, just citing examples that
particularly irk me while flipping through it. The author seems to
have little to say about Securing Web Applications, so he rambles on
with useless background and repeats himself often. This might be
useful had it been edited down to 100 pages.

I recommend Garfinkel
and Spafford’s ‘Web Security, Privacy & Commerce,’ however Forristal
does minimally discuss ASP, which Garfinkel and Spafford neglect.
Also, Forristal has some interesting ideas for code review.

…

More of a programmer’s guide than a security guide, Hacking the Code explains how certain code can be attacked, shows how you should edit the code, and offers case studies and examples for doing so. The book establishes policies for object input, and shows how to audit existing code for potential security problems.

People constantly ask security expert Mark Burnett for a guide to writing secure code. They don’t want a course on security, they want to fix their code. This book is a practical guide on how to maintain session state, how to properly handle cookies, how to get user input, and more. Instead of just telling you how to do it, Burnett shows actual code that can be dropped right into your applications. This book covers almost all security issues known. Burnett has put hundreds of hours of research into his code audit database and is now making that available to you.
Customer Review: Definitely a worthy book for developers and security pros alike
Hacking the Code is a must read if you want to pick apart .NET Web applications in the name of better security. More people in development and IT need to read books like this. I like how it focuses on ASP.NET – the language that a large portion of Web applications are developed in today. The book covers the important areas of securing applications and shows some good examples. Appendix A also has some good ASP.NET code samples for real-world concerns.

75% of attacks targeted against specific systems are aimed against the web application itself; not the operating system or network. While current security technologies and practices are aimed for the operating system and network, the custom developed software that runs the web application is the most exposed portion of any website, and often the most vulnerable. This book defines Web application security, why it should be addressed earlier in the lifecycle in development and quality assurance, and how it differs from other types of Internet security. Additionally, the book examines the procedures and technologies that are essential to developing, penetration testing and releasing a secure Web application. Through a review of recent Web application breaches, the book will expose the prolific methods hackers use to execute Web attacks using common vulnerabilities such as SQL Injection, Cross-Site Scripting and Buffer Overflows in the application layer. By taking an in-depth look at the techniques hackers use to exploit Web applications, readers will be better equipped to protect confidential.
Customer Review: Just not quite the book it promises to be
More recent books on web application security are welcomed. The publication date of 2006 suggests it might fall into that category.