[wplug] OT: looking for a book recommendation

Devin Lee Drew dLd at pobox.com
Tue Sep 27 16:21:36 EDT 2005 

On Sep 27, 2005, at 11:50 AM, Teodorski, Chris wrote:
>
> I know this is (as mention in the subject) slight off topic --
>
> I was wondering if anyone could recommend a good book that would  
> help me understand the fundamentals of web services and  
> specifically securing web services.  I'm not interested in the  
> nitty-gritty of developing web services (I'm not a developer) --  
> I'm on the System Admin side of the house.
>
> In my work-a-day world most of my time will be supporting Microsoft  
> web services -- so I'm not necessarily looking for a Linux specific  
> book.  However, I'm looking for the best book that covers the  
> material -- so even if it doesn't talk specifically about Microsoft  
> and IIS that would be ok.
>

A general recommendation: If it doesn't _need_ to be dynamic, then  
keep it simple. Run publicfile.[0] It's really fast, and you don't  
have to worry about patching it before bed every night.

To be serious about security auditing a web app, If you can't  
critically read the code, then be in tight sync with the coders.

I can personally recommend Foundstone's books[1], and their ethical  
hacking / incident response courses. I don't know, however, what is  
happening with that material since they've been bought by McAfee.

There are many good security books out there eg [2] that will help  
you learn fundamental concepts that have already been learnt. For  
example: who cares about TLS/SSL if an anonymous attacker can make  
infinite user/password guesses against your screaming fast box/ 
connection that serves up a bunch of half-baked web apps?

This [3, and attached below] looks like a useful learning / auditing  
tool. I haven't played with it yet. It makes me think of something  
that should be very important though: positive energy, and  
constructive interaction among the coders, management, and admins.  
Certain individuals could be offended if you covertly discover and  
point out the holes that they (may) have made.

You've got privy to the logs, firewall, policy, and updates; they  
know the code. Work and learn together. :) My unsolicited 2centavos.

Devin

[0] http://cr.yp.to/publicfile.html
[1] http://www.foundstone.com/resources/authoredbooks.htm
[2] http://www.amazon.com/exec/obidos/tg/detail/-/0130355488/ 
qid=1127849581/sr=8-9/ref=pd_bbs_9/104-6928457-6609555? 
v=glance&s=books&n=507846
[3] http://www.owasp.org/software/webgoat.html

-----Original Message-----
From: Jeff Williams [mailto:jeff.williams at owasp.org]
Sent: Tuesday, September 06, 2005 6:53 AM
To: pen-test at securityfocus.com
Subject: ANN: WebGoat 3.7 - Application Security hands-on learning
environment

The *only* way to learn application security is to test applications
"hands on" and examine their source code. To encourage the next
generation of application security experts, the Open Web Application
Security Project (OWASP) has developed an extensive lesson-based
training environment called "WebGoat".

WebGoat is a lessons based, deliberately insecure web application
designed to teach web application security. Each of the 25 lessons
provides the user an opportunity to demonstrate their understanding by
exploiting a real vulnerability. WebGoat provides the ability to examine

the underlying code to gain a better understanding of the vulnerability
as well as provide runtime hints to assist in solving each lesson. V3.7
includes lessons covering most of the OWASP Top Ten vulnerabilities and
contains several new lessons on web services, SQL Injection, and
authentication.

WebGoat 3.7 is available for free download from:

     http://www.owasp.org/software/webgoat.html

Simply unzip, run, and go to WebGoat in your browser to start learning.

The OWASP Foundation is dedicated to finding and fighting the causes of
insecure software. Find out more at http://www.owasp.org.

--Jeff

More information about the wplug mailing list