Books

Books : reviews

Gary McGraw, Edward W. Felten.
Java Security.
Wiley. 1997

rating : 3.5 : worth reading
review : 3 June 1997

The scale of use of the Web has opened up a whole can of security worms. It has now too easy to download, often unknowingly, all sorts of programs with a single mouse click, any one of which could potentially run riot on your own machine, trashing your hard disc or stealing your valuable data. Yet simply switching off downloading to stop the problems removes the possibility of getting all the great stuff, too. Java, in boldly claiming to provide a solution to this Web security problem, inevitably lays itself open to criticism and backlash when it fails. But a few problems in the implementation doesn't mean Java should be abandoned, it just means that work is need to plug the gaps. At least the creators of Java are bold enough to address, rather than try to ignore, the problem.

The authors of this slim volume are experts on Java security, and their purpose is to provide Java users (and nowadays that is practically anyone who uses a Web browser) with enough information to decide for themselves whether and when to trust Java. The answer, unsurprisingly, is "it depends".

The authors lucidly, if rather repetitively, describe the Java model, attack threats, risks, and strategies for reducing risks. The advice basically boils down to: don't leave Java enabled if you visit a dodgy site [but who takes much notice of the little URLs at the bottom of the screen when they're busy surfing?] and don't surf from the machine holding all your critical data.

Several well-publicised Java security holes are described in reasonable detail. All these particular holes have since been fixed in the latest versions of Web browsers, and so are risks no more. But the descriptions of the problems are valuable for helping to give a feel for the kind of security problems that Java can have, and for the kind of security it is trying to provide.

This is a good short read (a couple of hours, tops) for bringing someone quickly up to speed with Java philosophy and problems, and give them enough background to enable them to tackle more the in-depth material that is necessary to really understand what's going on.