E-commerce Security: Weak Links, Best Defenses
The World Wide Web is changing the way the world engages in business. With this paradigm shift comes uncertainty about how secure e-commerce transactions are over an inherently insecure medium--the Internet. Businesses have learned the hard way that there is no "silver bullet" solution--not encryption, not firewalls, not even secure protocols. Like a chain, the security of e-commerce is only as strong as its weakest link.

Review By: Derek Mahlitz
07/23/2003This is an outstanding book--well organized and well written, it serves as an introduction as well as review.
Chapter one is a general introduction to the factors involved in e-commerce security, looking at some recent incidents of various types, and then reviewing the client, transport, server, and operating system components to be examined later on. The coverage even includes mention of topics such as the concern for privacy considerations with cookies. Active content is the major concern, with an excellent discussion of ActiveX, a reasonably detailed review of the Java security model, and a look at JavaScript. The author makes some interesting comparisons while covering the transport of transaction information, in chapter three.
Server security can quickly become complex, and this is quite evident in chapter four. Chapter five discusses operating systems and firewalls and sets up a classification scheme for OS attacks illustrated by specific weaknesses in Windows and UNIX.
The book ends at chapter six with a call for certification of software, greater attention to security in all forms of software, and for greater use of component software.
Each chapter ends with a set of references. Unlike all too many books with bibliographies, with obscure citations from esoteric journals, the bulk of the material listed here is available on the Internet. A separate section lists Web sites used in the text.
This book is an excellent overview of the fundamental problems that need to be solved in order to build a secure Internet commerce system. It discusses client, server, protocol, and OS-related security holes and pitfalls with depth and good content. The author did a very good job of both painting the broad picture as well as giving concrete, real-world examples of security related issues. By providing these examples a development team could know what to expect in creating a high-profile e-commerce solution.
I also very much liked how the author recommended concrete but general steps to take in order to avoid or minimize each category of vulnerability which he identified.
The various issues dealt with in the book are explained clearly, and generally present counsel on the best practices for secure online commerce. My only lingering complaint is the overall print-quality of the figures in some chapters; they show up very coarse and hard on the eyes.
Highly recommended for beginners because it is very easy to understand and a brilliant introduction to e-commerce security issues. Also highly recommended for experienced users, as it provides a good overview in a concise manner.