Preface

“Companies Lose $400 Billion to Hackers Each Year”¹

Inc. Magazine

A cybersecurity market report issued by Cybersecurity Ventures in Q4 of 2015 stated that cyber attacks are costing businesses between $400 and $500 billion a year.² In the same thread, IT security spending is due to increase by 4.7% in 2015 to $75.4 billion USD, with an estimate that the world will spend upward of $101 billion in information security in 2018, and grow to $170 billion in 2020. Therefore, a cybersecurity workforce shortage of 1.5 million people is projected by 2019, as demand is expected to rise to 6 million that year.

As web and application developers, designers, engineers, and creators, we are no longer living in an age where we can offload the knowledge of identity and data security to someone else. By not understanding how to properly obscure data in transmission, a web developer can unwittingly open up a security flaw on a site. A project manager can cause a major attack vector to open up in an application by not understanding that previously secure password algorithms have been shown to now include flaws, and by not prioritizing the work on rehashing the database of user records. It is now the business of every person working on a system to take part in ensuring that users and data are protected.

Despite this awareness, it seems like every week we have new cases of companies, from startups to massive corporations, losing privileged user information, credit card data, medical records, and many other pieces of information that they are entrusted to protect. It has come to light that many of these same organizations never took the time to encrypt data properly, storing everything in plain text, just waiting for some hacker to abuse it.

The true problem is that hacking is no longer just the business of individuals wanting to prove that they can breach a system; it is now a realm of organized businesses, hacking for money or to damage the business.

This is where this text comes in. As we explore each chapter and concept, you’ll learn how to plug holes in existing systems, protect against viable attack vectors, and work in environments that are sometimes naturally insecure. We’ll look at concepts such as the following:

Understanding the state of web and application security
Building security password encryption, and combating password attack vectors
Creating digital fingerprints to identify users through browser, device, and paired-device detection
Building secure data transmission systems through OAuth and OpenID Connect
Using alternate methods of identification for a second factor of authentication
Hardening your web applications against attack
Creating a secure data transmission system using SSL/TLS and synchronous and asynchronous cryptography

In the end, you’ll have a comprehensive understanding of the current state of identity and data security, knowing how to protect yourself against potential attacks, and protect our users from having the data that they entrusted to you compromised.

Conventions Used in This Book

The following typographical conventions are used in this book:

Italic: Indicates new terms, URLs, email addresses, filenames, and file extensions.
Constant width: Used for program listings, as well as within paragraphs to refer to program elements such as variable or function names, databases, datatypes, environment variables, statements, and keywords.
Constant width bold: Shows commands or other text that should be typed literally by the user.
Constant width italic: Shows text that should be replaced with user-supplied values or by values determined by context.

Tip

This element signifies a tip or suggestion.

Note

This element signifies a general note.

Warning

This element indicates a warning or caution.

Safari® Books Online

Note

Safari Books Online is an on-demand digital library that delivers expert content in both book and video form from the world’s leading authors in technology and business.

Technology professionals, software developers, web designers, and business and creative professionals use Safari Books Online as their primary resource for research, problem solving, learning, and certification training.

Safari Books Online offers a range of plans and pricing for enterprise, government, education, and individuals.

Members have access to thousands of books, training videos, and prepublication manuscripts in one fully searchable database from publishers like O’Reilly Media, Prentice Hall Professional, Addison-Wesley Professional, Microsoft Press, Sams, Que, Peachpit Press, Focal Press, Cisco Press, John Wiley & Sons, Syngress, Morgan Kaufmann, IBM Redbooks, Packt, Adobe Press, FT Press, Apress, Manning, New Riders, McGraw-Hill, Jones & Bartlett, Course Technology, and hundreds more. For more information about Safari Books Online, please visit us online.

How to Contact Us

Please address comments and questions concerning this book to the publisher:

O’Reilly Media, Inc.
1005 Gravenstein Highway North
Sebastopol, CA 95472
800-998-9938 (in the United States or Canada)
707-829-0515 (international or local)
707-829-0104 (fax)

We have a web page for this book, where we list errata, examples, and any additional information. You can access this page at http://bit.ly/identity-and-data-security.

To comment or ask technical questions about this book, send email to bookquestions@oreilly.com.

For more information about our books, courses, conferences, and news, see our website at http://www.oreilly.com.

Find us on Facebook: http://facebook.com/oreilly

Watch us on YouTube: http://www.youtube.com/oreillymedia

Acknowledgments

First of all we would like to thank the O’Reilly crew for publishing this book and enabling us to share our knowledge, thoughts, and opinions with many individuals around the world. A huge special thanks goes out to our editor, Meg Foley, who has been patient, supportive, and helpful throughout the process of finishing this work.

Our thanks also go out to Lenny Markus, Allen Tom, and Aaron Parecki, who patiently reviewed this book’s manuscript and helped to improve its quality tremendously.

We’d also like to thank our developer relations team for proofreading, providing critique, and freeing us up to work on this book.

Finally, we’d like to express our gratitude to you, our readers, for buying this book. We hope you enjoy it!

Jonathan

I’d like to start out by thanking my partner in crime, Tim, for being an amazing co-author to work with. Without our continued conversations, building up and breaking down all of our ideas into new amazing hybrids of their original selves, this book wouldn’t be what it is today. Your ideas, drive, and humor made this one of my favorite experiences.

To my wife, Heather, you’ve helped to keep me sane when I decided to write my first book almost five years ago. Despite the fact that I forgot how much time away that took, you stood by me when I decided to write another one. Without you, I could not have kept my sanity and drive throughout this process. You have always been by my side to encourage me to chase my dreams. You’ve been my biggest advocate through all of this, and I love you for that.

To my daughter, Scarlett, throughout the time that I have had to pleasure to be your father, you have brought a calming effect into my life. With constant chaos, you have allowed me to see that the world doesn’t have to be as serious as I used to think it was. You’ve brought a peace into my life that I will always thank you for.

To my group, my friends. We may all go our separate ways, be split through companies and across the world, but I will always see you as some of my closest friends. We have been through so much together and have sacrificed a lot. Despite all that, you have been our supporters through everything we have gone through, boosting us up, allowing us to succeed. Thank you.

Tim

I’d like to thank Jonathan, who’s not only been a fantastic colleague and friend, but also a great coauthor on this book. It was brilliant to be able to bounce ideas and thoughts back and forth, and I am positive that the book would have been far less interesting without your influence, support, and work.

My wife, Karin, deserves a huge thank you—and probably an even bigger bouquet of flowers—for granting me all the time I needed in order to finish my work on this book.

Joe Nash, Alan Wong, Steven Cooper, and Cristiano Betta have been a fantastic team throughout the time of authoring this book and deserve to be mentioned here.

I am grateful for everyone who encouraged me to write this piece and saw me rambling about security concepts and usability concepts on various stages.

A special mention goes to Danese Cooper, PayPal’s Head of Open Source, who strongly encouraged me to write down my thoughts beyond blog posts.

Finally, I would like to thank both John Lunn and Taylor Nguyen, who supported me tremendously in writing this book and gave me support and advice throughout my career.

¹ http://www.inc.com/will-yakowicz/cyberattacks-cost-companies-400-billion-each-year.html

² http://cybersecurityventures.com/cybersecurity-market-report

Get Identity and Data Security for Web Development now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial