|
Netshine Review:
I was really looking
forward to reading this book, as there is certainly a need for an
authoratitive and easy-to-use volume on Joomla site security.
Unfortunately, I was rather disappointed.
Whilst this book will point you in the right direction as far as
securing your site is concerned, it lacks the clarity and detail I was
hoping for. Sometimes it is assumed that you already have a strong and
thorough technical knowledge. In my opinion, many items were not
explained thoroughly or clearly enough for the average Joomla site
owner, or even the budding extension developer, although the later
chapters do provide a little more detail. I also found myself
disagreeing with the author's opinion at times.
The good bits:
It makes mention of all the most important strategies for securing a
Joomla site. Even if the clarity and detail is lacking at times, you at
least have a starting point for further research. I liked the
description of the steps that a browser and server go through to
establish an SSL connection (although that information is not
particularly useful, it was one of the few things that I thought was
well presented). The book also introduces the reader to a number of
very useful software tools.
Chapter 10, about incident management is excellent, and gives you
plenty to think about. My only complaint about that chapter is the
US-bias when talking about law enforcement. The appendix is also very
good, providing a quick reference guide to dip into when you need it.
The bad bits:
MD5 hashes on software downloads - we are told to check that the hash
matches the file, but not told what the hash is exactly, nor how to
check it!
php.ini - told to check certain settings, but not
told exactly what php.ini is, where to find it, or what to do if you
don't have access to it (a later chapter provides a little more
information, but still not enough).
In some parts of the book (in particular, dealing
with file and folder permissions and .htaccess), it is assumed you are
running on a Linux operating system with Apache. If this is not the
case for you (eg. if you are running IIS on Windows), some of the
material in this book may leave you feeling very confused, as it will
make no sense whatsoever unless you have some familiarity with Linux.
Insufficient warning is given about the impact
logging tools can have on your site (I was going to say no warning is
given, but finally, on page 183, we get a small mention of performance
degradation). If you install a Joomla component that logs statistics in
your database, this can have a huge impact on the performance of your
site, in particular, it could cause significant difficulties in
creating backups, restoring backups, or moving your site to a new
location. Some balance must be achieved between optimum security and
performance and usability. In my opinion, a Joomla component is not the
right tool for logging statistics - use a dedicated script with file
logging, not database loggging.
A quote (about death and taxes) is incorrectly
attributed to Mark Twain rather than Benjamin Franklin. I was also
doubtful about the accuracy of an anecdote about messengers, tatoos,
and beheading - but I'll let you make your own mind up about that!
Several attack examples are mentioned and
even bogus sample code presented, but without any real explanation of
how they work or why the code is being shown. Just showing a page full
of obscure hex code does nothing to educate the reader on how an attack
works or what to do about it.
In summary, if you are complete novice, this book will probably just
frustrate you. If you are technically competent and have time to do
further research, this book will provide a good, if at times confusing,
basis for further investigation. If you are already fairly well
clued-up on server configuration and security, you probably won't need
this book, but it might help fill in some of the gaps and inform you
about the security needs and tools peculiar to Joomla sites.
 |
Subscribe to this comment's feed