BKSCFUEC.RVW 20020108 "Security Fundamentals for E-Commerce", Vesna Hassler, 2001, 1-58053-108-3, U$83.00 %A Vesna Hassler hassler@infosys.tuwien.ac.at %C 685 Canton St., Norwood, MA 02062 %D 2001 %G 1-58053-108-3 %I Artech House/Horizon %O U$83.00 800-225-9977 fax: 617-769-6334 artech@artech-house.com %P 409 p. %T "Security Fundamentals for E-Commerce" "The purpose of this book is to give an in-depth overview of all the basic security problems and solutions that can be relevant for an e-commerce application." I'm sorry, but "in-depth overview" sounds a bit like "jumbo shrimp": it's an oxymoron. And "all the basic security problems and solutions that can be relevant for an e-commerce application" covers a lot of ground. (Which is, I suppose, why this text has twenty two chapters.) Part one explains the basics of information security. Chapter one defines some of the basic jargon, but misses a number of the important fundamental terms. For example, the relationship between threats, vulernabilities and exploits is fairly basic to security and risk analysis, and yet all security problems seem to be lumped together as threats. The examination of security mechanisms, in chapter two, is limited to cryptography. Key management is restricted to X.509 certificates and Diffie-Hellman in chapter three. Part two looks specifically at security of electronic payment systems. Chapter four briefly lists a wide variety of payment systems. A terse set of payment security problems is given in chapter five, while some seemingly random cryptographic solutions are given in six. A little bit of math for functions directed at electronic cash and cheques is presented in chapters seven and eight, respectively. Chapter nine describes the Internet Open Trading Protocol. Part three deals with communications security. Chapter ten is a general look at networking. Chapters eleven to fourteen examine different systems for security at different layers, but the depth of coverage is very inconsistent: extremely terse in some cases, with many gaps, and yet delving into minute detail in others. Part four examines Web security. Chapter fifteen details the HyperText Transfer Protocol (HTTP), which is good, since few texts bother to do. Random topics related to Web servers make up chapter sixteen. Web client security topics are dealt with somewhat better in chapter seventeen, although cookies aren't given any significant discussion. Active content does get its own chapter: eighteen concentrates almost exclusively on Java. Chapter nineteen contains miscellaneous topics. Part five covers some special issues for mobile or agent computing. Agent technology is described in chapter twenty, some cellular phone topics are reviewed in twenty one, and smart card security is discussed in twenty two. Well, overview it is. The book does cover a variety of topics, although there are a great many gaps and holes. However, "in-depth" can't be supported, except in a very few cases. There are some topics that are discussed in excruciating detail, but they are definitely in the minority. As a college text this undoubtedly has its uses, but professionals or businesspeople will find the inconsistent coverage problematic. copyright Robert M. Slade, 2002 BKSCFUEC.RVW 20020108