Book Review: Hacking Exposed Web Applications: Web Application Security Secrets and Solutions, 3rd Edition 

Download Article Article in Digital Form

Hacking Exposed Web Applications: Web Application Security Secrets and Solutions, 3rd Edition is an eye-opening resource for grasping the realities of today’s web application security landscape. Accomplished authors Joel Scambray, Vincent Liu and Caleb Sima understand the landscape of the latest web application vulnerabilities as well as the exploitation techniques and tradecrafts that are being deployed against those vulnerabilities.

As businesses push more of their information and commerce to their customers through web applications, the confidentiality and integrity of these transactions is their fundamental, if not mandatory, responsibility. This publication aims to satisfy the needs of those with the need to understand and justify why a control (or corporate expenditure) is necessary. The authors collaborate to provide an easy-to-understand comprehensive blueprint for application developers, security professionals and the auditors charged with living up to this responsibility. Its intended audience is broad, from those with little knowledge or hands-on experience in preventing or detecting web application security to the experienced.

Hacking Exposed Web Applications, begins with a broad overview of web application hacking tools and techniques while showing concrete examples. Each chapter describes one aspect of the attack methodology. Once read as a learning guide or textbook, it should become a desk reference for the business library.

Applicable to all industries, the first section of the book is devoted to describing the basics: web application hacking, infrastructure and application profiling, and web application platforms. The meat of the book is devoted to describing attacks: web authentication and authorization attacks, input injection attacks, web application management attacks, and web client hacks. The second half of the book is devoted to the web application security program and reflects the major components of the full-knowledge methodology: threat modeling, code review and security testing. This third edition embraces the framework concept and integrates the cumulative learning to this point into an “ideal” enterprise web application security program.

Two aspects of the book are of particular note. The book’s focus is on identifying, exploiting and mitigating common web application security holes, with an emphasis on server-side flaws, which is expected. However, the book then addresses web-client exploits and vulnerabilities. The authors go beyond the company boundaries to include client exploits: a best-practice exercise for today’s security professionals to think beyond their corporate perimeters when brainstorming vulnerabilities and developing their security programs. Second, Hacking Exposed Web Applications is written from the perspective of an intruder—another best-practice rule of thumb for those tasked with securing the organization.

The book ends with a comprehensive web application security checklist that summarizes many recommendations and countermeasures made throughout the book, and also serves as a discreet reminder of the many security best practices that should be considered when designing and operating any web application.

The strength of the 450-page book lies in its practicality and usefulness. The authors share a plethora of reference sites and further reading tips, cautions, notes, and best practices. Whether a business leader attempting to understand the threat space for in an enterprise, an engineer tasked with writing code for sites, or a security engineer attempting to identify and mitigate the threats to an application, all readers will benefit from this publication.

Editor’s Note

Hacking Exposed Web Applications: Web Application Security Secrets and Solutions, 3rd Edition is available from the ISACA Bookstore. For information, see the ISACA Bookstore Supplement in this Journal, visit, e-mail or telephone +1.847.660.5650.

Reviewed by Connie Spinelli, CISA, CFE, CIA, CMA, CPA
is a risk management consultant providing governance risk and compliance (GRC), enterprise risk management (ERM) and Sarbanes-Oxley/internal audit program infrastructure solutions and education. Utilizing her experiences and training in the areas of management accounting; internal and external financial, IT and operational audit; and business process risks and controls, Spinelli is in a unique position to strategically work with all members of the C-suite to help them reach their compliance, financial and operational risk management goals. As well as owning her own consulting practice, GRC Solutions LLC, she is a subject matter expert contract writer for Protiviti, a business consulting and internal audit firm.

Enjoying this article? To read the most current ISACA Journal articles, become a member or subscribe to the Journal.

The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.

Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.

© 2011 ISACA. All rights reserved.

Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.