Foreword
By Chris Peterson, August 2010
Senior Director of Application Security, Zynga Game Network
Former Director of Security Assurance, Microsoft Corporation
"If ignorant of both your enemy and yourself, you are certain in every
battle to be in peril."
-Sun Tzu, The Art of War
There is no escaping the reality that businesses live on the Web today.
From banks to bookstores, from auctions to games, the Web is the place
where most businesses ply their trade. For consumers, the Web has become
the place where they do the majority of their business as well. For example,
nearly 50 percent of all retail music sales in the United States happen
online today; the market for virtual merchandise in online games will
top $1.5B this year; and, by some estimates, over 45 percent of U.S. adults
use the Internet exclusively to do their banking. With the growing popularity
of web-enabled smart phones, much of this online commerce is now available
to consumers anytime and anywhere. By any estimation, business on the
Web is an enormous part of the economy and growing rapidly. But along
with this growth has come the uncomfortable realization that the security
of this segment of commerce is not keeping pace.
In the brick and mortar world, business owners have spent decades encountering
and learning to mitigate threats. They have had to deal with break-ins,
burglary, armed robbery, counterfeit currency, fraudulent checks, and
scams of all kinds. In the brick and mortar world, however, businesses
have a constrained, easily defined perimeter to their business, and, in
most cases, a reasonably constrained population of threats. They have,
over time, learned to apply an increasingly mature set of practices, tools,
and safeguards to secure their businesses against these threats. On the
Web, the story is quite different.
Businesses on the Web have been around for less than 20 years, and many
of the hard lessons that they've learned in the physical world of commerce
are only recently beginning to surface for web-based commerce. Just as
in the physical world, where there is money or valuable assets, you will
always find a certain subset of the population up to no good and attempting
to capitalize on those assets. However, unlike in the physical world,
in the world of e-commerce, businesses are faced with a dizzying array
of technologies and concepts that most leaders find difficult, if not
impossible, to comprehend. In addition, the perimeter of their assets
is often not well understood, and the population of potential threats
can span the entire globe. While any executive at a bank can appreciate
the issues of physical access to assets, the security provided by a well-designed
bank vault, the mitigation provided by a dye pack in a money drawer, or
the deterrent effect of an armed guard in a lobby, those same executives
are frequently baffled by the impact of something called cross-site scripting,
or how something called SQL injection could pose such a threat to their
business. In many cases, even the "experts" employed by these
businesses to build their online commerce sites, the web developers themselves,
are barely aware of the extent of the threats to their sites, the fragility
of the code they write, or the lengths to which online attackers will
go to gain access to their systems.
Upon this lopsided battlefield of online commerce and crime, a dedicated
cadre of professionals struggles to educate businesses about the threats,
improve the awareness of developers about how to make their code resilient
to attack, and are constantly trying to understand the ever-changing tactics
and tools employed by the attack community. The authors of Hacking Exposed
Web Applications, Third Edition, represent some of the most experienced
and most knowledgeable of this group, and this book represents their latest
attempt to share their knowledge and experience with us all.
Whether you are a business leader attempting to understand the threat
space for your business, an engineer tasked with writing the code for
those sites, or a security engineer attempting to identify and mitigate
the threats to your applications, this book will be an invaluable weapon
in your arsenal. As Sun Tzu advises us, by using this book you will have
a much clearer understanding of yourself-and your enemy-and in time, you
will reduce the risk to your business.
(Past Forewords...)
|