From: secedu@all.net
Reply-to: secedu@all.net
Organization: Information Security Educators Mailing List
Subject: Information Security Educators Mailing List 1998-11-05
<pre>---------------------------------------------
From: "Rob Slade, doting grandpa of Ryan and Trevor" <rslade@sprint.ca>
Date: Thu, 5 Nov 1998 11:28:36 -0800
Subject: REVIEW: "E-Commerce Security", Anup K. Ghosh
Reply-to: rslade@sprint.ca

BKECMSEC.RVW   981003

"E-Commerce Security", Anup K. Ghosh, 1998, 0-471-19223-6,
U$24.99/C$35.50
%A   Anup K. Ghosh
%C   5353 Dundas Street West, 4th Floor, Etobicoke, ON   M9B 6H8
%D   1998
%G   0-471-19223-6
%I   John Wiley & Sons, Inc.
%O   U$24.99/C$35.50 416-236-4433 fax: 416-236-4448
%P   288 p.
%T   "E-Commerce Security: Weak Links, Best Defenses"

The title is ever so slightly misleading in that the topic is not
electronic commerce as a whole, but the (admittedly most popular) Web
segment of it.  However, within this limit, the book does provide
solid coverage and good advice for a whole range of issues.

Chapter one is a general introduction to the factors involved, looking
at some recent "attacks" of various types, and then reviewing the
client, transport, server, and operating system components to be
examined in the remainder of the book.  Client (generally browser)
flaws are covered thoroughly in chapter two.  The breadth of coverage
even includes mention of topics such as the concern for privacy
considerations with cookies.  Active content is the major concern,
with an excellent discussion of ActiveX (entitled "ActiveX
[In]security"), a reasonably detailed review of the Java security
model, and a look at JavaScript.  Unfortunately, very little of this
touches directly on e-commerce as such, except insofar as insecure
client technology is going to make e-commerce a harder sell to the
general public.  While covering the transport of transaction
information, in chapter three, Ghosh makes an interesting distinction
between stored account systems (where you want to secure the
transmission of identification data) and stored value systems (where
the data, once transmitted, is useless to an eavesdropper).  Many
books concentrate on either channel security or electronic cash
systems, so this comparison is instructive.

A server involves multiple programs, and may involve multiple
machines.  Server security can quickly become complex, and this is
quite evident in chapter four.  While a great deal of useful and
thought-provoking information is presented, the complicated nature of
the undertaking works against this chapter.  Not all topics are dealt
with thoroughly, or as well as the previous material was.  Oddly, one
issue not covered in depth is the firewall, which is handled very well
in chapter five, with operating system problems.  Ghosh sets up a
classification scheme for OS attacks, illustrated by specific
weaknesses in Windows NT and UNIX.

The book ends in chapter six with a call for certification of
software, greater attention to security in all forms of software, and,
interestingly, for greater use of component software.  (From the
jacket material, it appears that Ghosh is currently involved in the
promotion of component software systems.)

Each chapter ends with a set of references.  Unlike all too many books
with bibliographies stuff with obscure citations from esoteric
journals, the bulk of the material listed is available on the
Internet.  (RISKS-FORUM Digest readers may already have seen much of
it.)  A separate section lists Web sites used in the text.

The various issues dealt with in the book are explained clearly, and
generally present counsel on the best practices for secure online
commerce.  A compact but comprehensive guide to the current state of
electronic transaction security.

copyright Robert M. Slade, 1998   BKECMSEC.RVW   981003
---------------------------------------------