book

Identity and Data Security for Web Development

by Jonathan LeBlanc, Tim Messerschmidt

June 2016

Beginner

200 pages

4h 26m

English

O'Reilly Media, Inc.

Read now

Unlock full access

Preface
Conventions Used in This BookSafari® Books OnlineHow to Contact UsAcknowledgmentsJonathanTim
1. Introduction
The Problems with Current Security ModelsPoor Password ChoicesSecurity over UsabilityImproper Data EncryptionThe Weakest Link: Human BeingsSingle Sign-onUnderstanding Entropy in Password SecurityEntropy in Randomly Selected PasswordsEntropy in Human-Selected PasswordsBreaking Down System Usage of a Username and PasswordSecuring Our Current Standards for IdentityGood and Bad Security AlgorithmsWhat Data Should Be Protected?Account Recovery Mechanisms and Social EngineeringThe Problem with Security QuestionsNext Up
2. Password Encryption, Hashing, and Salting
Data at Rest Versus Data in MotionData at RestData in MotionPassword Attack VectorsBrute-Force AttackCreating a CAPTCHA with reCAPTCHADictionary AttacksReverse Lookup TablesRainbow TablesSaltingGenerating a Random SaltSalt ReuseSalt LengthWhere to Store the SaltPepperingChoosing the Right Password Hashing FunctionbcryptPBKDF2scryptValidating a Password Against a Hashed ValueKey StretchingRecomputing HashesNext Steps
3. Identity Security Fundamentals
Understanding Various Identity TypesSocial IdentityConcrete IdentityThin IdentityEnhancing User Experience by Utilizing IdentityIntroducing Trust ZonesBrowser FingerprintingConfigurations More Resistant to Browser FingerprintingIdentifiable Browser InformationCapturing Browser DetailsLocation-Based TrackingDevice Fingerprinting (Phone/Tablet)Device Fingerprinting (Bluetooth Paired Devices)Implementing Identity
4. Securing the Login with OAuth 2 and OpenID Connect
The Difference Between Authentication and AuthorizationAuthenticationAuthorizationWhat Are OAuth and OpenID Connect?Introducing OAuth 2.0Handling Authorization with OAuth 2.0Using the Bearer TokenAuthorization and Authentication with OpenID ConnectSecurity Considerations Between OAuth 2 and OAuth 1.0aBuilding an OAuth 2.0 ServerCreating the Express ApplicationSetting Up Our Server’s DatabaseGenerating Authorization Codes and TokensThe Authorization EndpointHandling a Token’s LifetimeHandling Resource RequestsUsing Refresh TokensHandling ErrorsAdding OpenID Connect Functionality to the ServerThe ID Token SchemaModifying the Authorization EndpointAdjusting the Token EndpointThe UserInfo EndpointSession Management with OpenID ConnectBuilding an OAuth 2 ClientUsing Authorization CodesAuthorization Using Resource Owner Credentials or Client CredentialsAdding OpenID Connect Functionality to the ClientThe OpenID Connect Basic FlowBeyond OAuth 2.0 and OpenID Connect
5. Alternate Methods of Identification
Device and Browser FingerprintingTwo-Factor Authentication and n-Factor Authenticationn-Factor AuthenticationOne-Time PasswordsImplementing Two-Factor Authentication with AuthyBiometrics as Username Instead of PasswordHow to Rate Biometric EffectivenessFace RecognitionRetina and Iris ScanningVein RecognitionUpcoming StandardsFIDO AllianceOzThe BlockchainWrap Up
6. Hardening Web Applications
Securing SessionsTypes of SessionsHow Express Handles SessionsHandling XSSThe Three Types of XSS AttacksTesting XSS Protection MechanismsConclusionCSRF AttacksHandling CSRF with csurfValuable Resources for NodeLuscaHelmetNode Security ProjectOther Mitigation TechniquesOur Findings
7. Data Transmission Security
SSL/TLSCertificate Validation Types and AuthoritiesCreating Your Own Self-Signed Certificate for TestingAsyncronous CryptographyUse CaseImplementation ExampleAdvantages, Disadvantages, and Uses of Aynchronous CryptographySynchronous CryptographyInitialization VectorPaddingBlock Cipher Modes of OperationUsing AES with CTR Encryption ModeUsing AES with with GCM Authenticated Encryption ModeAdvantages, Disadvantages, and Uses of Synchronous Cryptography
A. GitHub Repositories
B. Technical Preconditions and Requirements
On ES6/ES2015Setting Up Your Node.js EnvironmentManaging Node Versions or Alternative InstallationsInstalling the Express GeneratorSetting Up ExpressCreating and Maintaining Your package.json FileApplication ConfigurationWorking with JSON/URL-Encoded Bodies in Express

Glossary
Index

Content preview from Identity and Data Security for Web Development

Glossary

2FA / Two-factor authentication: The process of using a secondary means of identification during a login or user discovery step. Typically, your first authentication system is a username and password, then your second factor of authentication may be a code provided by SMS to a registered phone number, a registered fingerprint, code via email, etc.
Ciphertext: Unreadable output of an encryption algorithm.
Cleartext: Human-readable data that is transmitted or stored unencrypted.
EFF: The Electronic Frontier Foundation. A nonprofit dedicated to protecting user privacy and civil liberties in the digital world.
Entropy: In the context of identity, this concerns the amount of information that is discoverable about users, determining the likelihood that users are who they say they are.
MFA: Multifactor authentication is a means of user identification that requires more than one method of authenication (username and password, SMS code, email code, fingerprint, etc.).
NIST: The National Institute of Standards and Technology, a unit of the US Commerce Department. NIST promotes and maintains measurement standards and maintains active programs for encouraging and assisting industry and science to develop and use these standards.
OWASP: The Open Web Application Security Project is a community that maintains tools, documentation, and guides in the field of web application security, and is considered a forefront standard in the space.
Plain text: Human-readable data that is ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Publisher Resources

ISBN: 9781491937006Errata Page

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

Identity and Data Security for Web Development

by Jonathan LeBlanc, Tim Messerschmidt

Glossary

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.