Customer comments on this selection.
 Misleading title - little AJAX, more web security. Overall good book.
Okay, first what I liked in this book:
1. not many pages, which means it is psychologically acceptable. ;-)
2. excellent introduction to "web-security" (yeah, that's it).
3. simple, and clear explanation
4. nice introduction to the http protocol!
Now what could be improved?
1. change the title - well, it deals a very little with AJAX, so those who want highly technical stuff on AJAX will be disappointed.
2. nothing. :)
In my opinion, this was the *best* book on web security that I've read. It introduces you firmly to the subject, without pushing you too deep into any particular topic. Advanced readers obviously can build on what is presented here.
-Amarendra
 Too specific a title for content that is far more general in nature...
Since Ajax is such a hot subject right now, I thought the book Securing Ajax Applications by Christopher Wells would be a worthwhile read. Unfortunately, that's a very specific title for a book that tries to cover far more ground than just Ajax security. When you get done, you'll have a better idea about web-based software and hardware security from an architecture level. But you'll probably still be wanting a book that specifically covers "Ajax" security.
Contents:
The Evolving Web; Web Security; Securing Web Technologies; Protecting the Server; A Weak Foundation; Securing Web Services; Building Secure APIs; Mashups; Index
The book starts out with the history of HTTP web communication, alternatives that developed over time (like Flash and applets) that would allow e-commerce, and then how Ajax stepped into the fray. All pretty general stuff, and probably already known if you're picking up this book as a means to refine what you already do with Ajax. The chapter on Securing Web Technologies talks about the types of attacks that can be carried out over the web. Again, you've likely covered all this before if you've been programming web apps for any length of time. From there, you learn about browser weaknesses using Microsoft's STRIDE model (Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, and Elevation of privileges). As before, it's good information about security, but still not what I would consider Ajax-specific. Protecting The Server gets into how to harden a HTTP server, but the same observation applies... not specific to Ajax. The last few chapters get into more of what I would consider Ajax topics, like web services, mashups, API's, etc. But even then, we're still in a position where the information can be characterized as applicable to far more than just Ajax usage.
I think most of the problem comes down to the title of the book. After all, that's what attracts you to pull it off the shelf and take a look. If the title was more generic, like Securing Web Applications or Web Environment Security, I'd feel that I was getting the content that the author "promised" in the title. But using Ajax in the title appeared to be an attempt to use a hot buzz word for a book that was more general than that.
 A misleading title is just the tip of the iceberg of this disaster
This "book" would more appropriately have been published by a "vanity press" publisher, rather than a reputable publisher like O'Reilly. There is very little, if anything, that can be said about the book that castes it in a favorable light. The publisher, O'Reilly, loses credibility for allowing themselves to be duped into adding this book to their catalog. The author is very smart and technically proficient, but maybe a little too smart and too cynical as regards the intelligence of the reader. He hasn't fooled anyone however. The book is nothing but an exploitation of a catchy title, with practically nothing inside of relevance to that title. This book will find it's rightful home in your garbage pail. Better yet, don't buy it.
The title should be "An Introducing To Web Security"
In its 211 pages, Christopher Wells written a good book with one bad feature: Barely speak about the title-theme. In my opinion, this book is a good guide to start your studies about web security. Its chapters covers issues like web-server security, secure ways to develop your applications, many demonstrations of threat exploits and how to protect your application to them.
My conclusion is: If you want start your studies in Web Security, go on and buy this book. If you already did this and want to learn specifically about AJAX Security, try other book, because this one won't help you so much.
Wow, very disappointed...this is not an AJAX book
I was really looking forward to this book as this topic is very important to my job. But there is very little AJAX-specific content. The closest it comes is chapter five that dabbles with JSON a bit.
If you want to secure AJAX applications, you can pass over this title and stick to the basics:
- Learn and apply holistic, defense-in-depth development principles. A great primer for this is Writing Secure Code, Second Edition.
- Dig deeper into web-specific practices--both development and networking/administration. Although a little outdated (references Windows 2000 a lot), the best book I have seen so far is Improving Web Application Security: Threats and Countermeasures.
- Just remember that AJAX is nothing more than using JavaScript at the client to pull back XML from the server, so your weakest points in your application can be hardened with plain 'ole input validation. Validate at the client to ensure you have a properly assembled HTTP request going out. Validate at the server to ensure incoming variables don't break any rules, and XML encode all user input (preferably using Microsoft's free Anti-XSS library) on the way back to the client to avoid cross-site scripting.
|
