|
|
|
Gary McGraw and Edward W. Felten
Reviewed by George W. Leach
Are you concerned about the pedigree of that Java applet running in your Web browser? Perhaps you are considering building your own Java application for use on your company's intranet or extranet (sorry for the buzzwords)? You've heard that Java has been designed with security in mind, but you need to know more. Do you understand the security implications of adding directories to the classpath variable? Do you understand Java's security mechanisms? This is the book to answer your questions and concerns. The authors are Gary McGraw of Reliable Software Technologies and Edward Felten of Princeton University's Safe Internet Programming (SIP) team. SIP is the team at Princeton that has been uncovering security problems with Java, ActiveX, JavaScript, and other Internet technologies since the emergence of these technologies in the fall of 1995. The list of people who reviewed the book in its formative stages reads like a Who's Who of the Java security field. The first couple of chapters provide a high-level overview of Java and the security concerns that introducing it into your computing environment bring. The Java security model is explored as well. The authors then concentrate on exploring various holes in the Java security model that have been discovered and fixed over the past couple of years to illustrate the types of problems that can be encountered with Java. These types of problems are lumped under the category of attack applets, which exploit bugs in the security model to compromise the machine. Another category of Java security concerns is known as malicious applets. These types of applets include denial of service attacks, spoofing email, stealing CPU cycles, and other annoying Java tricks. The final two chapters of this book discuss steps that can be taken by Web surfers to avoid or minimize security risks associated with Java applets and future security features in Java, many of which have appeared in version 1.1. A couple of appendices provide the Java Security Frequently Asked Questions (FAQ) as of July of 1996 and the relevant Computer Emergency Response Team (CERT) Alerts pertaining to security problems with Java discovered during 1996. Both of these appendices are way out of date, but the authors point to online versions of these appendices: <http://www.cs.princeton.edu/sip/java-faq.html> Although none of the information presented in this book is new, it is all consolidated into a well-written, concise volume that can be read with ease in several hours even by novices to Java. Another benefit of this book is an objective viewpoint of Java security that strives to stay clear of the marketing hype that surrounds the language. One of the problems with this book or any book written about any aspect of the Internet is the currency of the information. Fortunately, the book was written with this in mind. Since its publication, the authors and their colleagues have discovered additional flaws in Java, which are discussed online at <http://www.cs.princeton.edu/sip/News.html>. URLs of interest:Javasoft maintains a FAQ on Applet Security at: <http://www.javasoft.com/sfaq/index.html>
Safe Internet Programming team at Princeton:
Java Security FAQ: Reliable Software Technologies: <http://www.rstcorp.com/java-security.html> John Wiley & Sons: <http://www.wiley.com/compbooks>
University of Washington Flaws in Java Implementations:
|
 Need help? Use our Contacts page.
First posted: 21st November 1997 efc Last changed: 21st November 1997 efc |
|
Issue index