I was doing some research in ASP.NET MVC documentation to track down the meaningful differences between version 3 and forthcoming version 4. Accidentally I’ve found an interesting article (Jon Galloway’s AFAIR) about web security (both in general and for ASP.NET MVC specifically). I was never a hardcore security expert, but I had a feeling I’m a bit outdated, so I decided to refresh my view on web security (preferably with a suitable book). That’s how I found a book “Tangled Web” by Michal Zalewski.
Before I jump into book’s details, let me bring some more context to the light. I’ve heard about Michal Zalewski for the first time in 1998 or 1999. I was a fresh university student, an absolute nerd (some things do not change…) crazy about everything related to programming and computers. I was eager to touch anything “codable”, starting with viruses written in assembler (yeah, I have to confess …) and ending with OpenGL graphics. One of areas of my interest was obviously computer security and hacking. I was studying carefully everything what was published on famous Bugtraq (security-oriented discussion list, considered as “elite-of-elite”) and Michal was an absolute star there. True hacker, security expert who was always right and … he was polish as well. Living legend - lcamtuf (that was / is his nickname).
Time goes by, my university times is long over and I didn’t devote myself to dwelling in computer security world (at least not fully). But still, if you need to find an authority in security topics, there’s lcamtuf on duty. Currently he works for Google (as an Information Security Engineer) and he just published his second book - “The Tangled Web: A Guide to Securing Modern Web Applications”.
Honestly, I haven’t finished it yet, but for now I can truly say I’m impressed. It’s well written and packed with content (but not over-packed, so you won’t be reading it for 3 months…). Obviously, it won’t make me a security expert, but I’ll have a knowledge foundation needed to design web-oriented solutions in better (and for sure more secure) way. And (at last but not least) I’ll feel much more safer browsing the web (as I’m more aware of things to avoid).