E-Commerce Security : Weak Links, Best Defenses

"Clear, lucid, right on target, and comprehensive...Anup Ghosh covers all major categories of digital risk, including client software, transmissions protocols, web-commerce servers and the operating system. If you manage any part of an organization's Internet connection, you owe it to yourself to read this book. "
--Peter Tippett, M.D., Ph.D. President, ICSA (International Computer Security Association)

"As business blossoms on the Net, technology professionals are hard pressed to keep up with the attendant security threats. Anup Ghosh knows the territory. His expert survey of the technologies, the war stories and the available resources is required reading."
--Benjamin Wright, Attorney and author of "The Law of Electronic Commerce".

"Anup Ghosh has produced a comprehensive and balanced treatment of e-commerce security issues that addresses the risks at all points of the link between buyer and seller. His readable and realistic analysis explores, not just the vulnerabilities of the network, but also the loopholes in client and server software and operating systems. In this rapidly changing environment, "E-Commerce Security: Weak Links, Best Defenses" is an up-to-date appraisal: Ghosh goes well beyond the obvious threats to illuminate many issues that deserve the thoughtful attention of corporate e-commerce architects."
--Peter Coffee Advanced Technologies Analyst, PC Week Labs

"This book is a comprehensive guide for anyone who is concerned about security risks associated with E-commerce."
--Aviel D. Rubin Secure Systems Research Department AT&T Labs

"The book is to the point, easy to read, comprehensive, and up to date. It deals with an issue of critical importance to anyone contemplating or involved in business on the Internet. Explanations are exceptionally clear."
--M.E. Kabay, Ph.D. Director of Education ICSA (International Computer Security Association)

Rating:
Summary: An overall
Review: A very good starting book to understand the security aspects of e-commence. Correct views(e.g. The auther emphasized the importantance of the security of two communication ends) and moderate knowledge.

Rating:
Summary: Good coverage of Web-related e-commerce security issues
Review: The title is ever so slightly misleading in that the topic is not electronic commerce as a whole, but the (admittedly most popular) Web segment of it. However, within this limit, the book does provide solid coverage and good advice for a whole range of issues.

Chapter one is a general introduction to the factors involved, looking at some recent "attacks" of various types, and then reviewing the client, transport, server, and operating system components to be examined in the remainder of the book. Client (generally browser) flaws are covered thoroughly in chapter two. The breadth of coverage even includes mention of topics such as the concern for privacy considerations with cookies. Active content is the major concern, with an excellent discussion of ActiveX (entitled "ActiveX [In]security"), a reasonably detailed review of the Java security model, and a look at JavaScript. Unfortunately, very little of this touches directly on e-commerce as such, except insofar as insecure client technology is going to make e-commerce a harder sell to the general public. While covering the transport of transaction information, in chapter three, Ghosh makes an interesting distinction between stored account systems (where you want to secure the transmission of identification data) and stored value systems (where the data, once transmitted, is useless to an eavesdropper). Many books concentrate on either channel security or electronic cash systems, so this comparison is instructive.

A server involves multiple programs, and may involve multiple machines. Server security can quickly become complex, and this is quite evident in chapter four. While a great deal of useful and thought-provoking information is presented, the complicated nature of the undertaking works against this chapter. Not all topics are dealt with thoroughly, or as well as the previous material was. Oddly, one issue not covered in depth is the firewall, which is handled very well in chapter five, with operating system problems. Ghosh sets up a classification scheme for OS attacks, illustrated by specific weaknesses in Windows NT and UNIX.

The book ends in chapter six with a call for certification of software, greater attention to security in all forms of software, and, interestingly, for greater use of component software. (From the jacket material, it appears that Ghosh is currently involved in the promotion of component software systems.)

Each chapter ends with a set of references. Unlike all too many books with bibliographies stuff with obscure citations from esoteric journals, the bulk of the material listed is available on the Internet. A separate section lists Web sites used in the text.

The various issues dealt with in the book are explained clearly, and generally present counsel on the best practices for secure online commerce. A compact but comprehensive guide to the current state of electronic transaction security.

Rating:
Summary: great overview of the security issues for internet commerce
Review: This book is an excellent overview of the fundamental problems that need to be solved in order to build a secure internet-commerce system. It covers client-, server-, protocol-, and OS- related security holes and pitfalls. The author did a very good job of both painting the broad picture as well as giving concrete, real-world examples. I'm new to the e-commerce domain and this book did an excellent job of introducing me to the manifold pitfalls awaiting the unaware. I also very much liked how the author recommended concrete but general steps to take in order to avoid or minimize each category of vulnerability which he identified. A fascinating book on a fascinating topic.

Rating:
Summary: well organized and well written
Review: This is an outstanding book--well organized and well written, it serves as an introduction as well as review.

Highly recommended for beginners because it is very easy to understand and a brilliant introduction to e-commerce security issues. Also highly recommended for experienced users, as it provides a good overview in a concise manner.