ebook img

Security for Web Developers PDF

382 Pages·2015·9.07 MB·English
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Security for Web Developers

Security for Web Developers USING JAVASCRIPT, HTML, AND CSS John Paul Mueller www.it-ebooks.info www.it-ebooks.info Security for Web Developers John Paul Mueller Boston www.it-ebooks.info Security for Web Developers by John Paul Mueller Copyright © 2016 John Mueller. All rights reserved. Printed in the United States of America. Published by O’Reilly Media, Inc., 1005 Gravenstein Highway North, Sebastopol, CA 95472. O’Reilly books may be purchased for educational, business, or sales promotional use. Online editions are also available for most titles (http://safaribooksonline.com). For more information, contact our corporate/ institutional sales department: 800-998-9938 or [email protected]. Editor: Meg Foley Proofreader: Kim Cofer Technical Editors: Russ Mullen, Billy Rios, and Wade Indexer: Lucie Haskins Woolwine Interior Designer: David Futato Production Editor: Nicole Shelby Cover Designer: Randy Comer Copyeditor: Jasmine Kwityn Illustrator: Rebecca Demarest November 2015: First Edition Revision History for the First Edition 2015-11-09: First Release See http://oreilly.com/catalog/errata.csp?isbn=9781491928646 for release details. While the publisher and the author have used good faith efforts to ensure that the information and instructions contained in this work are accurate, the publisher and the author disclaim all responsibility for errors or omissions, including without limitation responsibility for damages resulting from the use of or reliance on this work. Use of the information and instructions contained in this work is at your own risk. If any code samples or other technology this work contains or describes is subject to open source licenses or the intellectual property rights of others, it is your responsibility to ensure that your use thereof complies with such licenses and/or rights. 978-1-491-92864-6 [LSI] www.it-ebooks.info This book is dedicated to the medical professionals who have helped restore my health— who have listened to all my woes and found ways to address them. Yes, I did need to follow the advice, but they were the ones who offered it. Good health is an exceptionally grand gift. www.it-ebooks.info www.it-ebooks.info Table of Contents Preface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv Part I. Developing a Security Plan 1. Defining the Application Environment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Specifying Web Application Threats 2 Understanding Software Security Assurance (SSA) 7 Considering the OSSAP 7 Defining SSA Requirements 9 Categorizing Data and Resources 10 Performing the Required Analysis 11 Delving into Language-Specific Issues 14 Defining the Key HTML Issues 14 Defining the Key CSS Issues 15 Defining the Key JavaScript Issues 16 Considering Endpoint Defense Essentials 17 Preventing Security Breaches 17 Detecting Security Breaches 18 Remediating Broken Software 19 Dealing with Cloud Storage 20 Using External Code and Resources 22 Defining the Use of Libraries 22 Defining the Use of APIs 24 Defining the Use of Microservices 25 Accessing External Data 27 Allowing Access by Others 28 v www.it-ebooks.info 2. Embracing User Needs and Expectations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 Developing a User View of the Application 31 Considering Bring Your Own Device (BYOD) Issues 33 Understanding Web-Based Application Security 34 Considering Native App Issues 35 Using Custom Browsers 36 Verifying Code Compatibility Issues 38 Handling Nearly Continuous Device Updates 41 Devising Password Alternatives 42 Working with Passphrases 43 Using Biometric Solutions 44 Relying on Key Cards 46 Relying on USB Keys 47 Implementing a Token Strategy 48 Focusing on User Expectations 49 Making the Application Easy to Use 49 Making the Application Fast 49 Creating a Reliable Environment 50 Keeping Security in Perspective 50 3. Getting Third-Party Assistance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 Discovering Third-Party Security Solutions 54 Considering Cloud Security Solutions 56 Understanding Data Repositories 57 Dealing with File Sharing Issues 59 Considering Cloud Storage 62 Choosing Between Product Types 63 Working with Libraries 64 Accessing APIs 65 Considering Microservices 66 Part II. Applying Successful Coding Practices 4. Developing Successful Interfaces. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 Assessing the User Interface 72 Creating a Clear Interface 72 Making Interfaces Flexible 75 Providing User Aids 78 Defining the Accessibility Issues 79 Providing Controlled Choices 82 Choosing a User Interface Solution Level 86 vi | Table of Contents www.it-ebooks.info Implementing Standard HTML Controls 86 Working with CSS Controls 86 Creating Controls Using JavaScript 89 Validating the Input 90 Allowing Specific Input Only 90 Looking for Sneaky Inputs 91 Requesting New Input 92 Using Both Client-Side and Server-Side Validation 92 Expecting the Unexpected 93 5. Building Reliable Code. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95 Differentiating Reliability and Security 96 Defining the Roles of Reliability and Security 97 Avoiding Security Holes in Reliable Code 100 Focusing on Application Functionality 101 Developing Team Protocols 102 Creating a Lessons Learned Feedback Loop 105 Considering Issues of Packaged Solutions 107 Dealing with External Libraries 107 Dealing with External APIs 109 Working with Frameworks 111 Calling into Microservices 114 6. Incorporating Libraries. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117 Considering Library Uses 118 Enhancing CSS with Libraries 118 Interacting with HTML Using Libraries 121 Extending JavaScript with Libraries 123 Differentiating Between Internally Stored and Externally Stored Libraries 125 Defining the Security Threats Posed by Libraries 126 Enabling Strict Mode 128 Developing a Content Security Policy (CSP) 131 Incorporating Libraries Safely 132 Researching the Library Fully 133 Defining the Precise Library Uses 134 Keeping Library Size Small and Content Focused 134 Performing the Required Testing 136 Differentiating Between Libraries and Frameworks 136 7. Using APIs with Care. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141 Differentiating Between APIs and Libraries 142 Considering the Differences in Popularity 142 Table of Contents | vii www.it-ebooks.info Defining the Differences in Usage 143 Extending JavaScript Using APIs 145 Locating Appropriate APIs 145 Creating a Simple Example 146 Defining the Security Threats Posed by APIs 151 Ruining Your Good Name with MailPoet 151 Developing a Picture of the Snappening 152 Losing Your Device with Find My iPhone 153 Leaking Your Most Important Information with Heartbleed 153 Suffering from Shellshock 154 Accessing APIs Safely from JavaScript 154 Verifying API Security 154 Testing Inputs and Outputs 155 Keeping Data Localized and Secure 156 Coding Defensively 157 8. Considering the Use of Microservices. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159 Defining Microservices 160 Specifying Microservice Characteristics 160 Differentiating Microservices and Libraries 161 Differentiating Microservices and APIs 162 Considering Microservice Politics 162 Making Microservice Calls Using JavaScript 164 Understanding the Role of REST in Communication 165 Transmitting Data Using JSON 166 Creating a Microservice Using Node.js and Seneca 167 Defining the Security Threats Posed by Microservices 169 Lack of Consistency 170 Considering the Role of the Virtual Machine 170 Using JSON for Data Transfers 171 Defining Transport Layer Security 173 Creating Alternate Microservice Paths 174 Part III. Creating Useful and Efficient Testing Strategies 9. Thinking Like a Hacker. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177 Defining a Need for Web Security Scans 178 Building a Testing System 182 Considering the Test System Uses 182 Getting the Required Training 183 Creating the Right Environment 184 viii | Table of Contents www.it-ebooks.info

Description:
www.it-ebooks.info tions, is essential to ensuring that hackers can't simply view the credentials used to access the application in organization buckets of money. For example, click the AngularJS link in the table shown.
See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.