Library

The Java environment is relatively secure, as far as network programming languages go. Java has strong security, but not perfect security. Securing Java explains the known security problems with the language and points out steps that programmers can take to prevent bad guys from taking advantage of their Java-based systems.

Authors Gary McGraw and Edward W. Felten begin with the sandbox--the original Java security model. They then explain why the sandbox, while secure, was too restrictive and was combined with a code-signing model in Java 2.

After explaining how security ought to work, Securing Java reveals a menagerie of applets that have circumvented Java security to achieve a variety of noisome and damaging ends. The authors reveal enough information about these applets to show where the dangers are, and they offer security tips for programmers and network administrators.

McGraw and Felten include a brief but well-informed chapter about the security issues raised by the Java Card environment and smart cards generally. A couple of question-and-answer sections toward the end of Securing Java also deserve special recognition. One, on Java security as a whole, provides succinct and accurate answers to questions about how secure Java is and what you can do to minimize your Java security risk. The other Q&A section compares--fairly and with plenty of information--the security features of Java and ActiveX. --David Wall