book

Security for Web Developers

Name: Security for Web Developers
Author: John Paul Mueller
ISBN: 9781491928707

by John Paul Mueller

November 2015

Intermediate to advanced

384 pages

10h 39m

English

O'Reilly Media, Inc.

Read now

Unlock full access

Preface
About This BookWhat You Need to KnowDevelopment Environment ConsiderationsIcons Used in This BookConventions Used in This BookWhere to Get More InformationUsing Code ExamplesSafari® Books OnlineHow to Contact UsAcknowledgments
I. Developing a Security Plan
1. Defining the Application Environment
Specifying Web Application ThreatsUnderstanding Software Security Assurance (SSA)Considering the OSSAPDefining SSA RequirementsCategorizing Data and ResourcesPerforming the Required AnalysisDelving into Language-Specific IssuesDefining the Key HTML IssuesDefining the Key CSS IssuesDefining the Key JavaScript IssuesConsidering Endpoint Defense EssentialsPreventing Security BreachesDetecting Security BreachesRemediating Broken SoftwareDealing with Cloud StorageUsing External Code and ResourcesDefining the Use of LibrariesDefining the Use of APIsDefining the Use of MicroservicesAccessing External DataAllowing Access by Others
2. Embracing User Needs and Expectations
Developing a User View of the ApplicationConsidering Bring Your Own Device (BYOD) IssuesUnderstanding Web-Based Application SecurityConsidering Native App IssuesUsing Custom BrowsersVerifying Code Compatibility IssuesHandling Nearly Continuous Device UpdatesDevising Password AlternativesWorking with PassphrasesUsing Biometric SolutionsRelying on Key CardsRelying on USB KeysImplementing a Token StrategyFocusing on User ExpectationsMaking the Application Easy to UseMaking the Application FastCreating a Reliable EnvironmentKeeping Security in Perspective
3. Getting Third-Party Assistance
Discovering Third-Party Security SolutionsConsidering Cloud Security SolutionsUnderstanding Data RepositoriesDealing with File Sharing IssuesConsidering Cloud StorageChoosing Between Product TypesWorking with LibrariesAccessing APIsConsidering Microservices
II. Applying Successful Coding Practices
4. Developing Successful Interfaces
Assessing the User InterfaceCreating a Clear InterfaceMaking Interfaces FlexibleProviding User AidsDefining the Accessibility IssuesProviding Controlled ChoicesChoosing a User Interface Solution LevelImplementing Standard HTML ControlsWorking with CSS ControlsCreating Controls Using JavaScriptValidating the InputAllowing Specific Input OnlyLooking for Sneaky InputsRequesting New InputUsing Both Client-Side and Server-Side ValidationExpecting the Unexpected
5. Building Reliable Code
Differentiating Reliability and SecurityDefining the Roles of Reliability and SecurityAvoiding Security Holes in Reliable CodeFocusing on Application FunctionalityDeveloping Team ProtocolsCreating a Lessons Learned Feedback LoopConsidering Issues of Packaged SolutionsDealing with External LibrariesDealing with External APIsWorking with FrameworksCalling into Microservices
6. Incorporating Libraries
Considering Library UsesEnhancing CSS with LibrariesInteracting with HTML Using LibrariesExtending JavaScript with LibrariesDifferentiating Between Internally Stored and Externally Stored LibrariesDefining the Security Threats Posed by LibrariesEnabling Strict ModeDeveloping a Content Security Policy (CSP)Incorporating Libraries SafelyResearching the Library FullyDefining the Precise Library UsesKeeping Library Size Small and Content FocusedPerforming the Required TestingDifferentiating Between Libraries and Frameworks
7. Using APIs with Care
Differentiating Between APIs and LibrariesConsidering the Differences in PopularityDefining the Differences in UsageExtending JavaScript Using APIsLocating Appropriate APIsCreating a Simple ExampleDefining the Security Threats Posed by APIsRuining Your Good Name with MailPoetDeveloping a Picture of the SnappeningLosing Your Device with Find My iPhoneLeaking Your Most Important Information with HeartbleedSuffering from ShellshockAccessing APIs Safely from JavaScriptVerifying API SecurityTesting Inputs and OutputsKeeping Data Localized and SecureCoding Defensively

8. Considering the Use of Microservices
Defining MicroservicesSpecifying Microservice CharacteristicsDifferentiating Microservices and LibrariesDifferentiating Microservices and APIsConsidering Microservice PoliticsMaking Microservice Calls Using JavaScriptUnderstanding the Role of REST in CommunicationTransmitting Data Using JSONCreating a Microservice Using Node.js and SenecaDefining the Security Threats Posed by MicroservicesLack of ConsistencyConsidering the Role of the Virtual MachineUsing JSON for Data TransfersDefining Transport Layer SecurityCreating Alternate Microservice Paths
III. Creating Useful and Efficient Testing Strategies
9. Thinking Like a Hacker
Defining a Need for Web Security ScansBuilding a Testing SystemConsidering the Test System UsesGetting the Required TrainingCreating the Right EnvironmentUsing Virtual MachinesGetting the ToolsConfiguring the SystemRestoring the SystemDefining the Most Common Breach SourcesAvoiding SQL Injection AttacksUnderstanding Cross-Site ScriptingTackling Denial-of-Service IssuesNipping Predictable Resource LocationOvercoming Unintentional Information DisclosureTesting in a BYOD EnvironmentConfiguring a Remote Access ZoneChecking for Cross-Application HacksDealing with Really Ancient Equipment and SoftwareRelying on User TestingLetting the User Run AmokDeveloping Reproducible StepsGiving the User a VoiceUsing Outside Security TestersConsidering the Penetration Testing CompanyManaging the ProjectCovering the EssentialsGetting the Report
10. Creating an API Safety Zone
Understanding the Concept of an API Safety ZoneDefining the Need for an API Safety ZoneEnsuring Your API WorksEnabling Rapid DevelopmentCertifying the Best Possible IntegrationVerifying the API Behaves Under LoadKeeping the API Safe from HackersDeveloping with an API SandboxUsing an Off-the-Shelf SolutionUsing Other Vendors’ SandboxesConsidering Virtual EnvironmentsDefining the Virtual EnvironmentDifferentiating Virtual Environments and SandboxingImplementing VirtualizationRelying on Application Virtualization
11. Checking Libraries and APIs for Holes
Creating a Testing PlanConsidering Goals and ObjectivesTesting Internal LibrariesTesting Internal APIsTesting External LibrariesTesting External APIsExtending Testing to MicroservicesTesting Libraries and APIs IndividuallyCreating a Test Harness for LibrariesCreating Testing Scripts for APIsExtending Testing Strategies to MicroservicesDeveloping Response StrategiesPerforming Integration TestingTesting for Language-Specific IssuesDevising Tests for HTML IssuesDevising Tests for CSS IssuesDevising Tests for JavaScript Issues
12. Using Third-Party Testing
Locating Third-Party Testing ServicesDefining the Reasons for Hiring the Third PartyConsidering the Range of Possible Testing ServicesEnsuring the Third Party Is LegitimateInterviewing the Third PartyPerforming Tests on a Test SetupCreating a Testing PlanSpecifying the Third-Party Goals in TestingGenerating a Written Test PlanEnumerating the Test Output and Reporting RequirementsConsidering Test RequirementsImplementing a Testing PlanDetermining Organizational Participation in TestingBeginning the Testing ProcessPerforming Required Test MonitoringHandling Unexpected Testing IssuesUsing the Resulting ReportsDiscussing the Report Output with the Third PartyPresenting the Report to the OrganizationActing on Testing Recommendations
IV. Implementing a Maintenance Cycle
13. Clearly Defining Upgrade Cycles
Developing a Detailed Upgrade Cycle PlanLooking for UpgradesDetermining Upgrade RequirementsDefining Upgrade CriticalityChecking Upgrades for IssuesCreating Test ScenariosImplementing the ChangesCreating an Upgrade Testing SchedulePerforming the Required Pre-TestingPerforming the Required Integration TestingMoving an Upgrade to Production
14. Considering Update Options
Differentiating Between Upgrades and UpdatesDetermining When to UpdateWorking Through Library UpdatesWorking Through API and Microservice UpdatesAccepting Automatic UpdatesUpdating Language SuitesCreating a Supported Language ListObtaining Reliable Language SpecialistsVerifying the Language-Specific Prompts Work with the ApplicationEnsuring Data Appears in the Correct FormatDefining the Special Requirements for Language Support TestingPerforming Emergency UpdatesAvoiding Emergencies When PossibleCreating a Fast Response TeamPerforming Simplified TestingCreating a Permanent Update ScheduleCreating an Update Testing Schedule
15. Considering the Need for Reports
Using Reports to Make ChangesAvoiding Useless ReportsTiming Reports to Upgrades and UpdatesUsing Automatically Generated ReportsUsing Custom ReportsCreating Consistent ReportsUsing Reports to Perform Specific Application TasksCreating Internal ReportsDetermining Which Data Sources to UseSpecifying Report UsesRelying on Externally Generated ReportsObtaining Completed Reports from Third PartiesDeveloping Reports from Raw DataKeeping Internal Data SecureProviding for User FeedbackObtaining User FeedbackDetermining the Usability of User Feedback
V. Locating Security Resources
16. Tracking Current Security Threats
Developing Sources for Security Threat InformationReading Security-Related Articles by ExpertsChecking Security SitesGetting Input from ConsultantsAvoiding Information OverloadCreating a Plan for Upgrades Based on ThreatsAnticipating Situations that Require No Action at AllDeciding Between an Upgrade or an UpdateDefining an Upgrade PlanCreating a Plan for Updates Based on ThreatsVerifying Updates Address ThreatsDetermining Whether the Threat Is an EmergencyDefining an Update PlanAsking for Updates from Third Parties
17. Getting Required Training
Creating an In-House Security Training PlanDefining Needed TrainingSetting Reasonable GoalsUsing In-House TrainersMonitoring the ResultsObtaining Third-Party Training for DevelopersSpecifying the Training RequirementsHiring a Third-Party Trainer for Your OrganizationUsing Online SchoolsRelying on Training CentersUsing Local Colleges and UniversitiesEnsuring Users Are Security AwareMaking Security Training SpecificCombining Training with Written GuidesCreating and Using Alternative Security RemindersHolding Training Effectiveness Checks
Index

Content preview from Security for Web Developers

Chapter 7. Using APIs with Care

APIs provide a means of using full-blown applications on someone else’s server to meet your specific needs. Working with an API means sending a request to a black box and receiving a response of some sort back. The request can be as simple as a function call, but often requires that you supply data. The response can be in the form of data, but could also be some other service. For example, there are APIs for performing physical tasks such as opening doors. In fact, APIs can likely meet any generic need you might require. This chapter discusses the security implications of using APIs, including how APIs differ from libraries.

Part of discovering the security threats that APIs represent is viewing coded examples. This chapter uses a simple example as part of the explanation process. Although you could use the target API for a significant number of application tasks, the point is to create some to use for discussion purposes and then look at how the use of an API could create problems for any application. View the example in this chapter as a point of discussion, rather than an actual programming technique.

Note

Although this chapter does discuss specific APIs in both coded examples and as examples of where APIs can go wrong, the intent isn’t to single out any particular API. Every API you use could have serious flaws that enable a hacker to gain access to your system or cause other sorts of problems for your application. The specific examples help ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Developer's Guide to Web Application Security

Publisher Resources

ISBN: 9781491928684Errata Page

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

Security for Web Developers

by John Paul Mueller

Chapter 7. Using APIs with Care

Note

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.