book

Security for Web Developers

by John Paul Mueller

November 2015

Intermediate to advanced

384 pages

10h 39m

English

O'Reilly Media, Inc.

Read now

Unlock full access

About This BookWhat You Need to KnowDevelopment Environment ConsiderationsIcons Used in This BookConventions Used in This BookWhere to Get More InformationUsing Code ExamplesSafari® Books OnlineHow to Contact UsAcknowledgments
Specifying Web Application ThreatsUnderstanding Software Security Assurance (SSA)Considering the OSSAPDefining SSA RequirementsCategorizing Data and ResourcesPerforming the Required AnalysisDelving into Language-Specific IssuesDefining the Key HTML IssuesDefining the Key CSS IssuesDefining the Key JavaScript IssuesConsidering Endpoint Defense EssentialsPreventing Security BreachesDetecting Security BreachesRemediating Broken SoftwareDealing with Cloud StorageUsing External Code and ResourcesDefining the Use of LibrariesDefining the Use of APIsDefining the Use of MicroservicesAccessing External DataAllowing Access by Others
Developing a User View of the ApplicationConsidering Bring Your Own Device (BYOD) IssuesUnderstanding Web-Based Application SecurityConsidering Native App IssuesUsing Custom BrowsersVerifying Code Compatibility IssuesHandling Nearly Continuous Device UpdatesDevising Password AlternativesWorking with PassphrasesUsing Biometric SolutionsRelying on Key CardsRelying on USB KeysImplementing a Token StrategyFocusing on User ExpectationsMaking the Application Easy to UseMaking the Application FastCreating a Reliable EnvironmentKeeping Security in Perspective
Discovering Third-Party Security SolutionsConsidering Cloud Security SolutionsUnderstanding Data RepositoriesDealing with File Sharing IssuesConsidering Cloud StorageChoosing Between Product TypesWorking with LibrariesAccessing APIsConsidering Microservices
Assessing the User InterfaceCreating a Clear InterfaceMaking Interfaces FlexibleProviding User AidsDefining the Accessibility IssuesProviding Controlled ChoicesChoosing a User Interface Solution LevelImplementing Standard HTML ControlsWorking with CSS ControlsCreating Controls Using JavaScriptValidating the InputAllowing Specific Input OnlyLooking for Sneaky InputsRequesting New InputUsing Both Client-Side and Server-Side ValidationExpecting the Unexpected
Differentiating Reliability and SecurityDefining the Roles of Reliability and SecurityAvoiding Security Holes in Reliable CodeFocusing on Application FunctionalityDeveloping Team ProtocolsCreating a Lessons Learned Feedback LoopConsidering Issues of Packaged SolutionsDealing with External LibrariesDealing with External APIsWorking with FrameworksCalling into Microservices
Considering Library UsesEnhancing CSS with LibrariesInteracting with HTML Using LibrariesExtending JavaScript with LibrariesDifferentiating Between Internally Stored and Externally Stored LibrariesDefining the Security Threats Posed by LibrariesEnabling Strict ModeDeveloping a Content Security Policy (CSP)Incorporating Libraries SafelyResearching the Library FullyDefining the Precise Library UsesKeeping Library Size Small and Content FocusedPerforming the Required TestingDifferentiating Between Libraries and Frameworks
Differentiating Between APIs and LibrariesConsidering the Differences in PopularityDefining the Differences in UsageExtending JavaScript Using APIsLocating Appropriate APIsCreating a Simple ExampleDefining the Security Threats Posed by APIsRuining Your Good Name with MailPoetDeveloping a Picture of the SnappeningLosing Your Device with Find My iPhoneLeaking Your Most Important Information with HeartbleedSuffering from ShellshockAccessing APIs Safely from JavaScriptVerifying API SecurityTesting Inputs and OutputsKeeping Data Localized and SecureCoding Defensively

Defining MicroservicesSpecifying Microservice CharacteristicsDifferentiating Microservices and LibrariesDifferentiating Microservices and APIsConsidering Microservice PoliticsMaking Microservice Calls Using JavaScriptUnderstanding the Role of REST in CommunicationTransmitting Data Using JSONCreating a Microservice Using Node.js and SenecaDefining the Security Threats Posed by MicroservicesLack of ConsistencyConsidering the Role of the Virtual MachineUsing JSON for Data TransfersDefining Transport Layer SecurityCreating Alternate Microservice Paths
Defining a Need for Web Security ScansBuilding a Testing SystemConsidering the Test System UsesGetting the Required TrainingCreating the Right EnvironmentUsing Virtual MachinesGetting the ToolsConfiguring the SystemRestoring the SystemDefining the Most Common Breach SourcesAvoiding SQL Injection AttacksUnderstanding Cross-Site ScriptingTackling Denial-of-Service IssuesNipping Predictable Resource LocationOvercoming Unintentional Information DisclosureTesting in a BYOD EnvironmentConfiguring a Remote Access ZoneChecking for Cross-Application HacksDealing with Really Ancient Equipment and SoftwareRelying on User TestingLetting the User Run AmokDeveloping Reproducible StepsGiving the User a VoiceUsing Outside Security TestersConsidering the Penetration Testing CompanyManaging the ProjectCovering the EssentialsGetting the Report
Understanding the Concept of an API Safety ZoneDefining the Need for an API Safety ZoneEnsuring Your API WorksEnabling Rapid DevelopmentCertifying the Best Possible IntegrationVerifying the API Behaves Under LoadKeeping the API Safe from HackersDeveloping with an API SandboxUsing an Off-the-Shelf SolutionUsing Other Vendors’ SandboxesConsidering Virtual EnvironmentsDefining the Virtual EnvironmentDifferentiating Virtual Environments and SandboxingImplementing VirtualizationRelying on Application Virtualization
Creating a Testing PlanConsidering Goals and ObjectivesTesting Internal LibrariesTesting Internal APIsTesting External LibrariesTesting External APIsExtending Testing to MicroservicesTesting Libraries and APIs IndividuallyCreating a Test Harness for LibrariesCreating Testing Scripts for APIsExtending Testing Strategies to MicroservicesDeveloping Response StrategiesPerforming Integration TestingTesting for Language-Specific IssuesDevising Tests for HTML IssuesDevising Tests for CSS IssuesDevising Tests for JavaScript Issues
Locating Third-Party Testing ServicesDefining the Reasons for Hiring the Third PartyConsidering the Range of Possible Testing ServicesEnsuring the Third Party Is LegitimateInterviewing the Third PartyPerforming Tests on a Test SetupCreating a Testing PlanSpecifying the Third-Party Goals in TestingGenerating a Written Test PlanEnumerating the Test Output and Reporting RequirementsConsidering Test RequirementsImplementing a Testing PlanDetermining Organizational Participation in TestingBeginning the Testing ProcessPerforming Required Test MonitoringHandling Unexpected Testing IssuesUsing the Resulting ReportsDiscussing the Report Output with the Third PartyPresenting the Report to the OrganizationActing on Testing Recommendations
Developing a Detailed Upgrade Cycle PlanLooking for UpgradesDetermining Upgrade RequirementsDefining Upgrade CriticalityChecking Upgrades for IssuesCreating Test ScenariosImplementing the ChangesCreating an Upgrade Testing SchedulePerforming the Required Pre-TestingPerforming the Required Integration TestingMoving an Upgrade to Production
Differentiating Between Upgrades and UpdatesDetermining When to UpdateWorking Through Library UpdatesWorking Through API and Microservice UpdatesAccepting Automatic UpdatesUpdating Language SuitesCreating a Supported Language ListObtaining Reliable Language SpecialistsVerifying the Language-Specific Prompts Work with the ApplicationEnsuring Data Appears in the Correct FormatDefining the Special Requirements for Language Support TestingPerforming Emergency UpdatesAvoiding Emergencies When PossibleCreating a Fast Response TeamPerforming Simplified TestingCreating a Permanent Update ScheduleCreating an Update Testing Schedule
Using Reports to Make ChangesAvoiding Useless ReportsTiming Reports to Upgrades and UpdatesUsing Automatically Generated ReportsUsing Custom ReportsCreating Consistent ReportsUsing Reports to Perform Specific Application TasksCreating Internal ReportsDetermining Which Data Sources to UseSpecifying Report UsesRelying on Externally Generated ReportsObtaining Completed Reports from Third PartiesDeveloping Reports from Raw DataKeeping Internal Data SecureProviding for User FeedbackObtaining User FeedbackDetermining the Usability of User Feedback
Developing Sources for Security Threat InformationReading Security-Related Articles by ExpertsChecking Security SitesGetting Input from ConsultantsAvoiding Information OverloadCreating a Plan for Upgrades Based on ThreatsAnticipating Situations that Require No Action at AllDeciding Between an Upgrade or an UpdateDefining an Upgrade PlanCreating a Plan for Updates Based on ThreatsVerifying Updates Address ThreatsDetermining Whether the Threat Is an EmergencyDefining an Update PlanAsking for Updates from Third Parties
Creating an In-House Security Training PlanDefining Needed TrainingSetting Reasonable GoalsUsing In-House TrainersMonitoring the ResultsObtaining Third-Party Training for DevelopersSpecifying the Training RequirementsHiring a Third-Party Trainer for Your OrganizationUsing Online SchoolsRelying on Training CentersUsing Local Colleges and UniversitiesEnsuring Users Are Security AwareMaking Security Training SpecificCombining Training with Written GuidesCreating and Using Alternative Security RemindersHolding Training Effectiveness Checks

Content preview from Security for Web Developers

Chapter 4. Developing Successful Interfaces

Applications rely on interfaces to interact with the user. When the interface is flawed, the user’s opinion of the application diminishes and user satisfaction suffers. Every security solution you can conceive of depends on the goodwill of the user to make it a reality. Yes, you can attempt Draconian measures to force user participation, but often these measures result in the user constantly finding ways to overcome security, rather than work with it. In most cases, you receive the best results when the user is on your side, which means making an effort to create an interface the user can appreciate (in that it makes the application so easy to use that the application almost disappears from view). Of course, you do need to ensure the application enforces policies. Therefore, this chapter looks at both the carrot (user cooperating) and the stick (enforced policies) of application security from the interface perspective.

It’s important to make the carrot part of the equation obvious. A user sees various kinds of eye candy, helpful tips, and a clear interface as signs that the developer really cares about the application and how the user views it. Making the user experience pleasant is essential.

The stick part of the equation is usually hidden and subtle. For example, instead of asking the user to type the name of a state, the application prevents unauthorized entries by creating a state list and having the user select from the list. Although ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Start your free trial

Developer's Guide to Web Application Security

Publisher Resources

ISBN: 9781491928684Errata Page

Security for Web Developers

by John Paul Mueller

Chapter 4. Developing Successful Interfaces

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

You might also like

Developer's Guide to Web Application Security

Pro PHP Security: From Application Security Principles to the Implementation of XSS Defenses, Second Edition

Web Security for Developers

Web Application Security is a Stack: How to CYA (Cover Your Apps) Completely

Publisher Resources

Chapter 4. Developing Successful Interfaces

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,and much more.

You might also like

Developer's Guide to Web Application Security

Pro PHP Security: From Application Security Principles to the Implementation of XSS Defenses, Second Edition

Web Security for Developers

Web Application Security is a Stack: How to CYA (Cover Your Apps) Completely

Publisher Resources

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.