O’Reilly news

The Tangled Web--New from No Starch Press: Security Expert Michal Zalewski's Guide to Securing Modern Web Applications

November 9, 2011

Eloquent JavaScript

Request Review copy

San Francisco, CA, November 9, 2011—Modern web applications are built on a tangle of technologies developed over time and haphazardly patched together. Every piece of the web application stack, from HTTP requests to browser-side scripts, is riddled with important yet subtle security gotchas that developers need to understand in order to keep users safe online.

In The Tangled Web (No Starch Press, November 2011, 320 pp., $49.95, ISBN 9781593273880), Michal Zalewski, one of the world's top security experts and author of Google's Browser Security Handbook, explains how browsers work and why they're fundamentally insecure. Rather than simply list known vulnerabilities, Zalewski examines the entire browser security model, revealing weak points and providing crucial information for shoring up web application security. The book opens with a comprehensive examination of browser mechanisms, the historical reasons behind their design, and the security consequences involved. After examining and dissecting the security mechanisms available for web applications, Zalewski outlines anticipated future developments in browser security, including planned HTML5 features.

"Since Silence on the Wire, readers have been waiting for Zalewski's next book," said No Starch Press Founder Bill Pollock. "As applications migrate to the Web, exposing our private data to a wide range of attacks, the security community is badly in need of instruction on how to make web applications more secure. Zalewski offers real insight."

Readers of The Tangled Web will learn how to:

  • Perform common but surprisingly complex tasks such as URL parsing and HTML sanitization
  • Use modern security features like Strict Transport Security, Content Security Policy, and Cross-Origin Resource Sharing
  • Leverage many variants of the same-origin policy to safely compartmentalize complex web applications and protect user credentials in case of XSS bugs
  • Build mashups and embed gadgets without getting stung by the tricky frame navigation policy
  • Embed or host user-supplied content without running into the trap of content sniffing

The Tangled Web will prove indispensable to web developers and security researchers who want to create secure web applications that stand the test of time and the savviest of attackers.

For more information or to request a review copy of The Tangled Web, contact Travis Peterson at No Starch Press (nostarchpr@oreilly.com, +1.415.863.9900, x108), or visit www.nostarch.com.

About the Author

Michal Zalewski is an internationally recognized information security expert with a long track record of delivering cutting-edge research. He is credited with discovering hundreds of notable security vulnerabilities and frequently appears on lists of the most influential security experts. He is the author of Silence on the Wire (No Starch Press), Google's Browser Security Handbook, and numerous important research papers.

Praise for The Tangled Web
"Thorough and comprehensive coverage from one of the foremost experts in browser security."
TAVIS ORMANDY, GOOGLE INC.

"A must-read for anyone who values their security and privacy online."
COLLIN JACKSON, RESEARCHER AT THE CARNEGIE MELLON WEB SECURITY GROUP

"Perhaps the most thorough and insightful treatise on the state of security for web-driven technologies to date. A must have!"
MARK DOWD, AZIMUTH SECURITY, AUTHOR OF THE ART OF SOFTWARE SECURITY ASSESSMENT

Additional Resources
Chapter 3: "Hypertext Transfer Protocol" (PDF)
Table of Contents
Detailed Table of Contents (PDF)
Index (PDF)
No Starch Press Catalog Page

The Tangled Web The Tangled Web
Publisher: No Starch Press
By Michal Zalewski
ISBN 9781593273880, $49.95 USD
November 2011, 320 pp.
order@oreilly.com
1-800-998-9938
1-707-827-7000

Request Review copy

Available in fine bookstores everywhere, from http://www.oreilly.com/nostarch, or directly from No Starch Press (http://www.nostarch.com, orders@nostarch.com, 1-800-420-7240).

About No Starch Press
Founded in 1994, No Starch Press publishes the finest in geek entertainment—unique books on technology, with a focus on open source, security, hacking, programming, alternative operating systems, LEGO, science, and math. Our titles have personality, our authors are passionate, and our books tackle topics that people care about. Visit http://www.nostarch.com for a complete catalog.

About O’Reilly

O’Reilly Media spreads the knowledge of innovators through its books, online services, magazines, and conferences. Since 1978, O’Reilly Media has been a chronicler and catalyst of cutting-edge development, homing in on the technology trends that really matter and spurring their adoption by amplifying “faint signals” from the alpha geeks who are creating the future. An active participant in the technology community, the company has a long history of advocacy, meme-making, and evangelism.

Email a link to this press release