BKSECJAV.RVW 990501 "Securing Java", Gary McGraw/Edward W. Felten, 1999, 0-471-31952-X, U$34.99/C$54.50 %A Gary McGraw gem@rstcorp.com %A Edward W. Felten felten@cs.princeton.edu %C 5353 Dundas Street West, 4th Floor, Etobicoke, ON M9B 6H8 %D 1999 %G 0-471-31952-X %I John Wiley & Sons, Inc. %O U$34.99/C$54.50 416-236-4433 fax: 416-236-4448 rlangloi@wiley.com %P 324 p. %T "Securing Java: Getting Down to Business with Mobile Code" Unlike Oaks "Java Security" (cf. BKJAVASC.RVW), this book concentrates on Java in the popular perception: as a means of providing active code on the Web. As such it is intended not simply for techies, but also for dedicated users. Chapter one provides a readily accessible backgrounder, covering portability, the Internet, the Web, active content, security risks, other active content systems, and a rough outline of the Java security model with particular regard to applets. The original Java applet security model, or "sandbox," is covered in chapter two. The security model is now complicated by signed code, and chapter three points out the changes made. Chapter four outlines a number of malicious applets, but also gives clear directions for disabling Java on both the Netscape and Internet Explorer browsers. The authors outline a second class of hostile applets, in chapter five, that are intended to breach system security and allow an attack to bypass normal security mechanisms. There are suggestions for improving the security model, as well as a review of third party attempts to enhance it, in chapter six. (I was amused to see the slight lifting of the skirts of ICSA [International Computer Security Association]: the history of the outfit is a lot more interesting and convoluted even than is portrayed here.) Chapter seven is directed at programmers, but the advice provided looks at practices and policies rather than APIs (Applications Programming Interfaces) and chunks of sample code. A version of Java specifically designed for Smart Cards is available, and chapter eight looks at its promises and problems. A recap and restatement of the major security issues in mobile code is given in chapter nine. Appendices provide a Java security FAQ, security resource pointers, and directions on Java code signing. The text is quite readable. The authors have made a very serious attempt to ensure that the book does not depend upon previous technical background. For the most part, they have succeeded. The diligent reader would be able to understand most of the concepts as presented, even without having worked with computers or computer security. However, the key word is "diligent:" it *feels* like a technical book, and newcomers to the topic may be put off by the style. In addition, McGraw and Felten are careful to avoid any bias. They obviously feel that Java has some worthwhile security measures, but admit to its faults and point out its shortcomings. This makes the book extremely useful: much more so than an uncritical paean of praise. An effective book on an important subject with a wide audience. But you don't have to take my word for it. You can try before you buy. The www.securingjava.com site does not simply contain a few press releases and the errata, but has the whole text of the book online. A bold step. (You can help justify it by then buying the book.) copyright Robert M. Slade, 1999 BKSECJAV.RVW 990501