
The Tangled Web: A Guide to Securing Modern Web Applications - dkarapetyan
http://lcamtuf.coredump.cx/tangled/
======
tptacek
Extremely strong recommend on this book. It's one of the books Matasano gave
to all applicants before interviewing them.

~~~
tedunangst
I've never heard of giving applicants material before the interview. More
commonly, I think companies give new hires (especially interns) a book or some
material to read before their start date, but usually the investment comes
after the decision.

Did the book shape the interview? Like if I didn't read it, I'd have a hard
time? Or maybe even if I nailed the book, but didn't know anything else,
that'd be bad?

~~~
tptacek
The books did not shape the interviews, and we were careful to tell candidates
that they shouldn't treat them as homework, and they could probably do just
fine without reading them at all.

------
brainy
Today, anyone trying to advise a web site owner on security has to balance
elements within the site owner's control — fonts, domain names, sources of
content, validation of user input, for example — against extrinsic elements
the site owner can't touch. The latter include user operating systems and
software, the security of remote sites supplying content and homologue
internationalised domain names. Plus, there are all those tricky details of
interactions between tags, and everywhere — in all software — bugs.

------
mkrdouble
This looks really great, and has some big names endorsing it. Has anyone here
read the book and could provide some additional insight on what the book did
for you?

~~~
HeavenFox
I read a draft version of it through my employer, and I have to say it is the
_best_ book on Web security I've ever seen. It is basically an encyclopedia of
attack vectors, organized by the technologies that enabled them. The author
discusses both inherent problems with the protocol, as well as nuances in
different implementations, which makes it extra valuable. Reading the book
through was an eye-opener, and there were countless oh-crap-I-didn't-know-it-
could-work-that-way moments.

Two warnings about the book: first, it is really an encyclopedia, so the
author skims the part on how to prevent the attacks. There's a security
cheatsheet at the end of each chapter, which is helpful but a bit too
succinct. You have to understand the book fully to really make use of it. If
you're more into a cookbook style book, look elsewhere. Second, the browser
information is not quite up-to-date and thorough. I can't blame the author, as
security is an ever-changing landscape. But just standard warning: Do your
experiments. Test the attack vectors in all browsers. I once shipped a
vulnerability because I blindly trusted the information in the book
(thankfully it was disclosed responsibly)

------
woah
While I'm receptive to the topic and this looks like a good book, this
literally is just an advertisement.

