You are previewing Security for Web Developers.
O'Reilly logo
Security for Web Developers

Book Description

As a web developer, you may not want to spend time making your web app secure, but it definitely comes with the territory. This practical guide provides you with the latest information on how to thwart security threats at several levels, including new areas such as microservices. You’ll learn how to help protect your app no matter where it runs, from the latest smartphone to an older desktop, and everything in between.

Table of Contents

  1. Preface
    1. About This Book
    2. What You Need to Know
    3. Development Environment Considerations
    4. Icons Used in This Book
    5. Conventions Used in This Book
    6. Where to Get More Information
    7. Using Code Examples
    8. Safari® Books Online
    9. How to Contact Us
    10. Acknowledgments
  2. I. Developing a Security Plan
  3. 1. Defining the Application Environment
    1. Specifying Web Application Threats
    2. Understanding Software Security Assurance (SSA)
      1. Considering the OSSAP
      2. Defining SSA Requirements
      3. Categorizing Data and Resources
      4. Performing the Required Analysis
    3. Delving into Language-Specific Issues
      1. Defining the Key HTML Issues
      2. Defining the Key CSS Issues
      3. Defining the Key JavaScript Issues
    4. Considering Endpoint Defense Essentials
      1. Preventing Security Breaches
      2. Detecting Security Breaches
      3. Remediating Broken Software
    5. Dealing with Cloud Storage
    6. Using External Code and Resources
      1. Defining the Use of Libraries
      2. Defining the Use of APIs
      3. Defining the Use of Microservices
      4. Accessing External Data
    7. Allowing Access by Others
  4. 2. Embracing User Needs and Expectations
    1. Developing a User View of the Application
    2. Considering Bring Your Own Device (BYOD) Issues
      1. Understanding Web-Based Application Security
      2. Considering Native App Issues
      3. Using Custom Browsers
      4. Verifying Code Compatibility Issues
      5. Handling Nearly Continuous Device Updates
    3. Devising Password Alternatives
      1. Working with Passphrases
      2. Using Biometric Solutions
      3. Relying on Key Cards
      4. Relying on USB Keys
      5. Implementing a Token Strategy
    4. Focusing on User Expectations
      1. Making the Application Easy to Use
      2. Making the Application Fast
      3. Creating a Reliable Environment
      4. Keeping Security in Perspective
  5. 3. Getting Third-Party Assistance
    1. Discovering Third-Party Security Solutions
    2. Considering Cloud Security Solutions
      1. Understanding Data Repositories
      2. Dealing with File Sharing Issues
      3. Considering Cloud Storage
    3. Choosing Between Product Types
      1. Working with Libraries
      2. Accessing APIs
      3. Considering Microservices
  6. II. Applying Successful Coding Practices
  7. 4. Developing Successful Interfaces
    1. Assessing the User Interface
      1. Creating a Clear Interface
      2. Making Interfaces Flexible
      3. Providing User Aids
      4. Defining the Accessibility Issues
    2. Providing Controlled Choices
    3. Choosing a User Interface Solution Level
      1. Implementing Standard HTML Controls
      2. Working with CSS Controls
      3. Creating Controls Using JavaScript
    4. Validating the Input
      1. Allowing Specific Input Only
      2. Looking for Sneaky Inputs
      3. Requesting New Input
      4. Using Both Client-Side and Server-Side Validation
    5. Expecting the Unexpected
  8. 5. Building Reliable Code
    1. Differentiating Reliability and Security
      1. Defining the Roles of Reliability and Security
      2. Avoiding Security Holes in Reliable Code
      3. Focusing on Application Functionality
    2. Developing Team Protocols
    3. Creating a Lessons Learned Feedback Loop
    4. Considering Issues of Packaged Solutions
      1. Dealing with External Libraries
      2. Dealing with External APIs
      3. Working with Frameworks
      4. Calling into Microservices
  9. 6. Incorporating Libraries
    1. Considering Library Uses
      1. Enhancing CSS with Libraries
      2. Interacting with HTML Using Libraries
      3. Extending JavaScript with Libraries
    2. Differentiating Between Internally Stored and Externally Stored Libraries
    3. Defining the Security Threats Posed by Libraries
      1. Enabling Strict Mode
      2. Developing a Content Security Policy (CSP)
    4. Incorporating Libraries Safely
      1. Researching the Library Fully
      2. Defining the Precise Library Uses
      3. Keeping Library Size Small and Content Focused
      4. Performing the Required Testing
    5. Differentiating Between Libraries and Frameworks
  10. 7. Using APIs with Care
    1. Differentiating Between APIs and Libraries
      1. Considering the Differences in Popularity
      2. Defining the Differences in Usage
    2. Extending JavaScript Using APIs
      1. Locating Appropriate APIs
      2. Creating a Simple Example
    3. Defining the Security Threats Posed by APIs
      1. Ruining Your Good Name with MailPoet
      2. Developing a Picture of the Snappening
      3. Losing Your Device with Find My iPhone
      4. Leaking Your Most Important Information with Heartbleed
      5. Suffering from Shellshock
    4. Accessing APIs Safely from JavaScript
      1. Verifying API Security
      2. Testing Inputs and Outputs
      3. Keeping Data Localized and Secure
      4. Coding Defensively
  11. 8. Considering the Use of Microservices
    1. Defining Microservices
      1. Specifying Microservice Characteristics
      2. Differentiating Microservices and Libraries
      3. Differentiating Microservices and APIs
      4. Considering Microservice Politics
    2. Making Microservice Calls Using JavaScript
      1. Understanding the Role of REST in Communication
      2. Transmitting Data Using JSON
      3. Creating a Microservice Using Node.js and Seneca
    3. Defining the Security Threats Posed by Microservices
      1. Lack of Consistency
      2. Considering the Role of the Virtual Machine
      3. Using JSON for Data Transfers
      4. Defining Transport Layer Security
    4. Creating Alternate Microservice Paths
  12. III. Creating Useful and Efficient Testing Strategies
  13. 9. Thinking Like a Hacker
    1. Defining a Need for Web Security Scans
    2. Building a Testing System
      1. Considering the Test System Uses
      2. Getting the Required Training
      3. Creating the Right Environment
      4. Using Virtual Machines
      5. Getting the Tools
      6. Configuring the System
      7. Restoring the System
    3. Defining the Most Common Breach Sources
      1. Avoiding SQL Injection Attacks
      2. Understanding Cross-Site Scripting
      3. Tackling Denial-of-Service Issues
      4. Nipping Predictable Resource Location
      5. Overcoming Unintentional Information Disclosure
    4. Testing in a BYOD Environment
      1. Configuring a Remote Access Zone
      2. Checking for Cross-Application Hacks
      3. Dealing with Really Ancient Equipment and Software
    5. Relying on User Testing
      1. Letting the User Run Amok
      2. Developing Reproducible Steps
      3. Giving the User a Voice
    6. Using Outside Security Testers
      1. Considering the Penetration Testing Company
      2. Managing the Project
      3. Covering the Essentials
      4. Getting the Report
  14. 10. Creating an API Safety Zone
    1. Understanding the Concept of an API Safety Zone
    2. Defining the Need for an API Safety Zone
      1. Ensuring Your API Works
      2. Enabling Rapid Development
      3. Certifying the Best Possible Integration
      4. Verifying the API Behaves Under Load
      5. Keeping the API Safe from Hackers
    3. Developing with an API Sandbox
      1. Using an Off-the-Shelf Solution
      2. Using Other Vendors’ Sandboxes
    4. Considering Virtual Environments
      1. Defining the Virtual Environment
      2. Differentiating Virtual Environments and Sandboxing
      3. Implementing Virtualization
      4. Relying on Application Virtualization
  15. 11. Checking Libraries and APIs for Holes
    1. Creating a Testing Plan
      1. Considering Goals and Objectives
      2. Testing Internal Libraries
      3. Testing Internal APIs
      4. Testing External Libraries
      5. Testing External APIs
      6. Extending Testing to Microservices
    2. Testing Libraries and APIs Individually
      1. Creating a Test Harness for Libraries
      2. Creating Testing Scripts for APIs
      3. Extending Testing Strategies to Microservices
      4. Developing Response Strategies
    3. Performing Integration Testing
    4. Testing for Language-Specific Issues
      1. Devising Tests for HTML Issues
      2. Devising Tests for CSS Issues
      3. Devising Tests for JavaScript Issues
  16. 12. Using Third-Party Testing
    1. Locating Third-Party Testing Services
      1. Defining the Reasons for Hiring the Third Party
      2. Considering the Range of Possible Testing Services
      3. Ensuring the Third Party Is Legitimate
      4. Interviewing the Third Party
      5. Performing Tests on a Test Setup
    2. Creating a Testing Plan
      1. Specifying the Third-Party Goals in Testing
      2. Generating a Written Test Plan
      3. Enumerating the Test Output and Reporting Requirements
      4. Considering Test Requirements
    3. Implementing a Testing Plan
      1. Determining Organizational Participation in Testing
      2. Beginning the Testing Process
      3. Performing Required Test Monitoring
      4. Handling Unexpected Testing Issues
    4. Using the Resulting Reports
      1. Discussing the Report Output with the Third Party
      2. Presenting the Report to the Organization
      3. Acting on Testing Recommendations
  17. IV. Implementing a Maintenance Cycle
  18. 13. Clearly Defining Upgrade Cycles
    1. Developing a Detailed Upgrade Cycle Plan
      1. Looking for Upgrades
      2. Determining Upgrade Requirements
      3. Defining Upgrade Criticality
      4. Checking Upgrades for Issues
      5. Creating Test Scenarios
      6. Implementing the Changes
    2. Creating an Upgrade Testing Schedule
      1. Performing the Required Pre-Testing
      2. Performing the Required Integration Testing
    3. Moving an Upgrade to Production
  19. 14. Considering Update Options
    1. Differentiating Between Upgrades and Updates
    2. Determining When to Update
      1. Working Through Library Updates
      2. Working Through API and Microservice Updates
      3. Accepting Automatic Updates
    3. Updating Language Suites
      1. Creating a Supported Language List
      2. Obtaining Reliable Language Specialists
      3. Verifying the Language-Specific Prompts Work with the Application
      4. Ensuring Data Appears in the Correct Format
      5. Defining the Special Requirements for Language Support Testing
    4. Performing Emergency Updates
      1. Avoiding Emergencies When Possible
      2. Creating a Fast Response Team
      3. Performing Simplified Testing
      4. Creating a Permanent Update Schedule
    5. Creating an Update Testing Schedule
  20. 15. Considering the Need for Reports
    1. Using Reports to Make Changes
      1. Avoiding Useless Reports
      2. Timing Reports to Upgrades and Updates
      3. Using Automatically Generated Reports
      4. Using Custom Reports
      5. Creating Consistent Reports
      6. Using Reports to Perform Specific Application Tasks
    2. Creating Internal Reports
      1. Determining Which Data Sources to Use
      2. Specifying Report Uses
    3. Relying on Externally Generated Reports
      1. Obtaining Completed Reports from Third Parties
      2. Developing Reports from Raw Data
      3. Keeping Internal Data Secure
    4. Providing for User Feedback
      1. Obtaining User Feedback
      2. Determining the Usability of User Feedback
  21. V. Locating Security Resources
  22. 16. Tracking Current Security Threats
    1. Developing Sources for Security Threat Information
      1. Reading Security-Related Articles by Experts
      2. Checking Security Sites
      3. Getting Input from Consultants
    2. Avoiding Information Overload
    3. Creating a Plan for Upgrades Based on Threats
      1. Anticipating Situations that Require No Action at All
      2. Deciding Between an Upgrade or an Update
      3. Defining an Upgrade Plan
    4. Creating a Plan for Updates Based on Threats
      1. Verifying Updates Address Threats
      2. Determining Whether the Threat Is an Emergency
      3. Defining an Update Plan
      4. Asking for Updates from Third Parties
  23. 17. Getting Required Training
    1. Creating an In-House Security Training Plan
      1. Defining Needed Training
      2. Setting Reasonable Goals
      3. Using In-House Trainers
      4. Monitoring the Results
    2. Obtaining Third-Party Training for Developers
      1. Specifying the Training Requirements
      2. Hiring a Third-Party Trainer for Your Organization
      3. Using Online Schools
      4. Relying on Training Centers
      5. Using Local Colleges and Universities
    3. Ensuring Users Are Security Aware
      1. Making Security Training Specific
      2. Combining Training with Written Guides
      3. Creating and Using Alternative Security Reminders
      4. Holding Training Effectiveness Checks
  24. Index