Foreword

"If ignorant of both your enemy and yourself, you are certain in every battle to be in peril."
-Sun Tzu, The Art of War

There is no escaping the reality that businesses live on the Web today. From banks to bookstores, from auctions to games, the Web is the place where most businesses ply their trade. For consumers, the Web has become the place where they do the majority of their business as well. For example, nearly 50 percent of all retail music sales in the United States happen online today; the market for virtual merchandise in online games will top $1.5B this year; and, by some estimates, over 45 percent of U.S. adults use the Internet exclusively to do their banking. With the growing popularity of web-enabled smart phones, much of this online commerce is now available to consumers anytime and anywhere. By any estimation, business on the Web is an enormous part of the economy and growing rapidly. But along with this growth has come the uncomfortable realization that the security of this segment of commerce is not keeping pace.

In the brick and mortar world, business owners have spent decades encountering and learning to mitigate threats. They have had to deal with break-ins, burglary, armed robbery, counterfeit currency, fraudulent checks, and scams of all kinds. In the brick and mortar world, however, businesses have a constrained, easily defined perimeter to their business, and, in most cases, a reasonably constrained population of threats. They have, over time, learned to apply an increasingly mature set of practices, tools, and safeguards to secure their businesses against these threats. On the Web, the story is quite different.

Businesses on the Web have been around for less than 20 years, and many of the hard lessons that they've learned in the physical world of commerce are only recently beginning to surface for web-based commerce. Just as in the physical world, where there is money or valuable assets, you will always find a certain subset of the population up to no good and attempting to capitalize on those assets. However, unlike in the physical world, in the world of e-commerce, businesses are faced with a dizzying array of technologies and concepts that most leaders find difficult, if not impossible, to comprehend. In addition, the perimeter of their assets is often not well understood, and the population of potential threats can span the entire globe. While any executive at a bank can appreciate the issues of physical access to assets, the security provided by a well-designed bank vault, the mitigation provided by a dye pack in a money drawer, or the deterrent effect of an armed guard in a lobby, those same executives are frequently baffled by the impact of something called cross-site scripting, or how something called SQL injection could pose such a threat to their business. In many cases, even the "experts" employed by these businesses to build their online commerce sites, the web developers themselves, are barely aware of the extent of the threats to their sites, the fragility of the code they write, or the lengths to which online attackers will go to gain access to their systems.

Upon this lopsided battlefield of online commerce and crime, a dedicated cadre of professionals struggles to educate businesses about the threats, improve the awareness of developers about how to make their code resilient to attack, and are constantly trying to understand the ever-changing tactics and tools employed by the attack community. The authors of Hacking Exposed Web Applications, Third Edition, represent some of the most experienced and most knowledgeable of this group, and this book represents their latest attempt to share their knowledge and experience with us all.

Whether you are a business leader attempting to understand the threat space for your business, an engineer tasked with writing the code for those sites, or a security engineer attempting to identify and mitigate the threats to your applications, this book will be an invaluable weapon in your arsenal. As Sun Tzu advises us, by using this book you will have a much clearer understanding of yourself-and your enemy-and in time, you will reduce the risk to your business.

(Past Forewords...)