Identity and Data Security for Web Development. Best Practices - Helion

ebook

Autor: Jonathan LeBlanc, Tim Messerschmidt
ISBN: 978-14-919-3696-2
stron: 204, Format: ebook
Data wydania: 2016-06-06
Księgarnia: Helion

Cena książki: 126,65 zł (poprzednio: 147,27 zł)
Oszczędzasz: 14% (-20,62 zł)

Osoby, które kupiły tę książkę, wybierały także »

Developers, designers, engineers, and creators can no longer afford to pass responsibility for identity and data security onto others. Web developers who don’t understand how to obscure data in transmission, for instance, can open security flaws on a site without realizing it. With this practical guide, you’ll learn how and why everyone working on a system needs to ensure that users and data are protected.

Authors Jonathan LeBlanc and Tim Messerschmidt provide a deep dive into the concepts, technology, and programming methodologies necessary to build a secure interface for data and identity—without compromising usability. You’ll learn how to plug holes in existing systems, protect against viable attack vectors, and work in environments that sometimes are naturally insecure.

Understand the state of web and application security today
Design security password encryption, and combat password attack vectors
Create digital fingerprints to identify users through browser, device, and paired device detection
Build secure data transmission systems through OAuth and OpenID Connect
Use alternate methods of identification for a second factor of authentication
Harden your web applications against attack
Create a secure data transmission system using SSL/TLS, and synchronous and asynchronous cryptography

Osoby które kupowały "Identity and Data Security for Web Development. Best Practices", wybierały także:

Windows Media Center. Domowe centrum rozrywki 66,67 zł, (8,00 zł -88%)
Ruby on Rails. Ćwiczenia 18,75 zł, (3,00 zł -84%)
DevOps w praktyce. Kurs video. Jenkins, Ansible, Terraform i Docker 190,00 zł, (39,90 zł -79%)
Przywództwo w świecie VUCA. Jak być skutecznym liderem w niepewnym środowisku 58,64 zł, (12,90 zł -78%)
Scrum. O zwinnym zarządzaniu projektami. Wydanie II rozszerzone 58,64 zł, (12,90 zł -78%)

Spis treści

Identity and Data Security for Web Development. Best Practices eBook -- spis treści

Preface
- Conventions Used in This Book
- Safari Books Online
- How to Contact Us
- Acknowledgments
  - Jonathan
  - Tim
1. Introduction
- The Problems with Current Security Models
  - Poor Password Choices
  - Security over Usability
  - Improper Data Encryption
- The Weakest Link: Human Beings
  - Single Sign-on
- Understanding Entropy in Password Security
  - Entropy in Randomly Selected Passwords
  - Entropy in Human-Selected Passwords
- Breaking Down System Usage of a Username and Password
- Securing Our Current Standards for Identity
  - Good and Bad Security Algorithms
    - The good
    - The bad (for passwords)
- What Data Should Be Protected?
  - Account Recovery Mechanisms and Social Engineering
  - The Problem with Security Questions
- Next Up
2. Password Encryption, Hashing, and Salting
- Data at Rest Versus Data in Motion
  - Data at Rest
  - Data in Motion
- Password Attack Vectors
  - Brute-Force Attack
  - Creating a CAPTCHA with reCAPTCHA
  - Dictionary Attacks
  - Reverse Lookup Tables
  - Rainbow Tables
- Salting
  - Generating a Random Salt
  - Salt Reuse
  - Salt Length
  - Where to Store the Salt
- Peppering
- Choosing the Right Password Hashing Function
  - bcrypt
  - PBKDF2
  - scrypt
  - Validating a Password Against a Hashed Value
- Key Stretching
- Recomputing Hashes
- Next Steps
3. Identity Security Fundamentals
- Understanding Various Identity Types
  - Social Identity
  - Concrete Identity
  - Thin Identity
- Enhancing User Experience by Utilizing Identity
- Introducing Trust Zones
- Browser Fingerprinting
  - Configurations More Resistant to Browser Fingerprinting
  - Identifiable Browser Information
  - Capturing Browser Details
    - User agent
    - Time zone
    - Screen resolution
    - Plug-ins
- Location-Based Tracking
- Device Fingerprinting (Phone/Tablet)
- Device Fingerprinting (Bluetooth Paired Devices)
- Implementing Identity
4. Securing the Login with OAuth 2 and OpenID Connect
- The Difference Between Authentication and Authorization
  - Authentication
  - Authorization
- What Are OAuth and OpenID Connect?
  - Introducing OAuth 2.0
    - OAuth 1.0 versus OAuth 2.0
  - Handling Authorization with OAuth 2.0
  - Using the Bearer Token
  - Authorization and Authentication with OpenID Connect
    - UserInfo endpoint and Claims
    - User authentication
    - The ID Token
- Security Considerations Between OAuth 2 and OAuth 1.0a
- Building an OAuth 2.0 Server
- Creating the Express Application
- Setting Up Our Servers Database
  - Generating Authorization Codes and Tokens
    - Authorization Codes
    - Access Tokens
    - Refresh Tokens
    - Generation of codes and tokens
  - The Authorization Endpoint
  - Handling a Tokens Lifetime
  - Handling Resource Requests
  - Using Refresh Tokens
  - Handling Errors
    - Using error handlers
- Adding OpenID Connect Functionality to the Server
  - The ID Token Schema
  - Modifying the Authorization Endpoint
  - Adjusting the Token Endpoint
  - The UserInfo Endpoint
  - Session Management with OpenID Connect
- Building an OAuth 2 Client
  - Using Authorization Codes
    - Storing tokens on the Client
    - Custom schemes
  - Authorization Using Resource Owner Credentials or Client Credentials
- Adding OpenID Connect Functionality to the Client
  - The OpenID Connect Basic Flow
- Beyond OAuth 2.0 and OpenID Connect
5. Alternate Methods of Identification
- Device and Browser Fingerprinting
- Two-Factor Authentication and n-Factor Authentication
  - n-Factor Authentication
  - One-Time Passwords
  - Implementing Two-Factor Authentication with Authy
- Biometrics as Username Instead of Password
- How to Rate Biometric Effectiveness
  - Face Recognition
  - Retina and Iris Scanning
  - Vein Recognition
- Upcoming Standards
  - FIDO Alliance
    - UAF
    - U2F
  - Oz
  - The Blockchain
  - Wrap Up
6. Hardening Web Applications
- Securing Sessions
  - Types of Sessions
    - Whats a cookie?
    - Whats a session?
  - How Express Handles Sessions
    - Using genid
    - Best practices when dealing with sessions
- Handling XSS
  - The Three Types of XSS Attacks
  - Testing XSS Protection Mechanisms
    - Circumventing XSS Auditor
  - Conclusion
- CSRF Attacks
  - Handling CSRF with csurf
- Valuable Resources for Node
  - Lusca
  - Helmet
  - Node Security Project
- Other Mitigation Techniques
- Our Findings
7. Data Transmission Security
- SSL/TLS
  - Certificate Validation Types and Authorities
    - Domain Validation (DV)
    - Organization Validation (OV)
    - Extended Validation (EV)
  - Creating Your Own Self-Signed Certificate for Testing
    - Certificate setup
    - Server setup
    - Making secure requests to the server
- Asyncronous Cryptography
  - Use Case
  - Implementation Example
    - Step 1a: Generating keys without file storage
    - Step 1b: Generating keys with file storage
    - Step 2: Encrypting and signing a message
    - Step 3: Decrypting and signing a message
  - Advantages, Disadvantages, and Uses of Aynchronous Cryptography
- Synchronous Cryptography
  - Initialization Vector
  - Padding
  - Block Cipher Modes of Operation
  - Using AES with CTR Encryption Mode
  - Using AES with with GCM Authenticated Encryption Mode
  - Advantages, Disadvantages, and Uses of Synchronous Cryptography
A. GitHub Repositories
B. Technical Preconditions and Requirements
- On ES6/ES2015
- Setting Up Your Node.js Environment
- Managing Node Versions or Alternative Installations
- Installing the Express Generator
- Setting Up Express
- Creating and Maintaining Your package.json File
- Application Configuration
- Working with JSON/URL-Encoded Bodies in Express
Glossary
Index