Web Hacking Exposed

Security is a broad topic that is only becoming broader as we become more reliant on computers for everything we do, from work to home to leisure, and our computers become more and more interconnected. Most of our computing experiences now require, or are enriched by, Internet connections, which means our systems are constantly exposed to foreign data of unknown or uncertain integrity. When you click search links, download applications, or configure Internet-facing servers, every line of code through which the data flows is potentially subject to a storm of probing for vulnerable configuration, flawed programming logic, and buggy implementation-even within the confines of a corporate network. Your data and computing resources are worth money in the Web 2.0 economy, and where there's money, there are people who want to steal it.

As the Web has evolved, we've also seen the criminals evolve. Ten years ago, the threat was an email-borne macro virus that deleted your data. Five years ago, it was automatically propagating worms that used buffer overflows to enlist computers into distributed denial of service attack networks. Three years ago, the prevalent threat became malware that spreads to your computer when you visit infected websites and that subsequently delivers popup ads and upsells you rogue anti-malware. More recently, malware uses all these propagation techniques to spread into a stealthy distributed network of general-purpose "bots" that serve up your data, perform denial-of-service, or spew spam. The future is one of targeted malware that is deliberately low-volume and customized for classes of user, specific corporations, or even a single individual.

We've also seen computer security evolve. Antivirus is everywhere, from the routers on the edge to servers, clients, and soon, mobile devices. Firewalls are equally ubiquitous and lock down unused entry and exit pathways. Operating systems and applications are written with security in mind and are hardened with defense-in-depth measures such as no-execute and address layout randomization. Users can't access corporate networks without passing health assessments.

One thing is clear: there's no declaration of victory possible in this battle. It's a constant struggle where winning means keeping the criminals at bay another day. And there's also no clear cut strategy for success. Security in practice requires risk assessment, and successful risk assessment requires a deep understanding of both the threats and the defensive technologies.

It's this ability to help you perform accurate risk assessment that makes Hacking Exposed Windows valuable. There are few places where you can get a one-stop look at the security landscape in which Windows lives. Joel and his fellow contributors have done an outstanding job of documenting the latest advances in threats, including buffer overflows, rootkits, and cross-site scripting, as well as defensive technologies such as no-execute, Vista's UAC, and address space layout randomization. If understanding Windows security is anywhere in your job description, I highly recommend reading this book from back to front and keeping it as a reference for your ongoing battle.

-Mark Russinovich
Technical Fellow, Microsoft Corporation

(Forewords to prior editions are in the Archive)

Copyright © 2008. All Rights Reserved. Designed by HTMLfx