Security for Web Developers. Using JavaScript, HTML, and CSS - Helion
ISBN: 978-14-919-2870-7
stron: 384, Format: ebook
Data wydania: 2015-11-10
Księgarnia: Helion
Cena książki: 160,65 zł (poprzednio: 186,80 zł)
Oszczędzasz: 14% (-26,15 zł)
As a web developer, you may not want to spend time making your web app secure, but it definitely comes with the territory. This practical guide provides you with the latest information on how to thwart security threats at several levels, including new areas such as microservices. You’ll learn how to help protect your app no matter where it runs, from the latest smartphone to an older desktop, and everything in between.
Author John Paul Mueller delivers specific advice as well as several security programming examples for developers with a good knowledge of CSS3, HTML5, and JavaScript. In five separate sections, this book shows you how to protect against viruses, DDoS attacks, security breaches, and other nasty intrusions.
- Create a security plan for your organization that takes the latest devices and user needs into account
- Develop secure interfaces, and safely incorporate third-party code from libraries, APIs, and microservices
- Use sandboxing techniques, in-house and third-party testing techniques, and learn to think like a hacker
- Implement a maintenance cycle by determining when and how to update your application software
- Learn techniques for efficiently tracking security threats as well as training requirements that your organization can use
Osoby które kupowały "Security for Web Developers. Using JavaScript, HTML, and CSS", wybierały także:
- PHP 7.3. Kurs video. Tworzenie bezpiecznej strony typu e-commerce 118,97 zł, (35,69 zł -70%)
- Spring Security. Kurs video. Skuteczne metody zabezpieczeń aplikacji 69,00 zł, (27,60 zł -60%)
- Spring Security. Kurs video. Metody zabezpieczania aplikacji webowych 69,00 zł, (31,05 zł -55%)
- Cyberbezpieczeństwo w bashu. Jak za pomocą wiersza poleceń prowadzić działania zaczepne i obronne 69,00 zł, (34,50 zł -50%)
- Informatyka w kryminalistyce. Praktyczny przewodnik. Wydanie II 149,00 zł, (74,50 zł -50%)
Spis treści
Security for Web Developers. Using JavaScript, HTML, and CSS eBook -- spis treści
- Preface
- About This Book
- What You Need to Know
- Development Environment Considerations
- Icons Used in This Book
- Conventions Used in This Book
- Where to Get More Information
- Using Code Examples
- Safari Books Online
- How to Contact Us
- Acknowledgments
- I. Developing a Security Plan
- 1. Defining the Application Environment
- Specifying Web Application Threats
- Understanding Software Security Assurance (SSA)
- Considering the OSSAP
- Defining SSA Requirements
- Categorizing Data and Resources
- Performing the Required Analysis
- Logic
- Data
- Interface
- Constraint
- Delving into Language-Specific Issues
- Defining the Key HTML Issues
- Defining the Key CSS Issues
- Defining the Key JavaScript Issues
- Considering Endpoint Defense Essentials
- Preventing Security Breaches
- Detecting Security Breaches
- Remediating Broken Software
- Dealing with Cloud Storage
- Using External Code and Resources
- Defining the Use of Libraries
- Defining the Use of APIs
- Defining the Use of Microservices
- Accessing External Data
- Allowing Access by Others
- 2. Embracing User Needs and Expectations
- Developing a User View of the Application
- Considering Bring Your Own Device (BYOD) Issues
- Understanding Web-Based Application Security
- Considering Native App Issues
- Using Custom Browsers
- Verifying Code Compatibility Issues
- Handling Nearly Continuous Device Updates
- Devising Password Alternatives
- Working with Passphrases
- Using Biometric Solutions
- Relying on Key Cards
- Relying on USB Keys
- Implementing a Token Strategy
- Focusing on User Expectations
- Making the Application Easy to Use
- Making the Application Fast
- Creating a Reliable Environment
- Keeping Security in Perspective
- 3. Getting Third-Party Assistance
- Discovering Third-Party Security Solutions
- Considering Cloud Security Solutions
- Understanding Data Repositories
- Dealing with File Sharing Issues
- Considering Cloud Storage
- Choosing Between Product Types
- Working with Libraries
- Accessing APIs
- Considering Microservices
- II. Applying Successful Coding Practices
- 4. Developing Successful Interfaces
- Assessing the User Interface
- Creating a Clear Interface
- Making Interfaces Flexible
- Providing User Aids
- Defining the Accessibility Issues
- Providing Controlled Choices
- Choosing a User Interface Solution Level
- Implementing Standard HTML Controls
- Working with CSS Controls
- Creating Controls Using JavaScript
- Relying on client controls
- Relying on server controls
- Validating the Input
- Allowing Specific Input Only
- Looking for Sneaky Inputs
- Requesting New Input
- Using Both Client-Side and Server-Side Validation
- Expecting the Unexpected
- Assessing the User Interface
- 5. Building Reliable Code
- Differentiating Reliability and Security
- Defining the Roles of Reliability and Security
- Avoiding Security Holes in Reliable Code
- Focusing on Application Functionality
- Developing Team Protocols
- Creating a Lessons Learned Feedback Loop
- Considering Issues of Packaged Solutions
- Dealing with External Libraries
- Dealing with External APIs
- Working with Frameworks
- Calling into Microservices
- Differentiating Reliability and Security
- 6. Incorporating Libraries
- Considering Library Uses
- Enhancing CSS with Libraries
- Interacting with HTML Using Libraries
- Extending JavaScript with Libraries
- Differentiating Between Internally Stored and Externally Stored Libraries
- Defining the Security Threats Posed by Libraries
- Enabling Strict Mode
- Developing a Content Security Policy (CSP)
- Incorporating Libraries Safely
- Researching the Library Fully
- Defining the Precise Library Uses
- Keeping Library Size Small and Content Focused
- Performing the Required Testing
- Differentiating Between Libraries and Frameworks
- Considering Library Uses
- 7. Using APIs with Care
- Differentiating Between APIs and Libraries
- Considering the Differences in Popularity
- Defining the Differences in Usage
- Extending JavaScript Using APIs
- Locating Appropriate APIs
- Creating a Simple Example
- Defining the Security Threats Posed by APIs
- Ruining Your Good Name with MailPoet
- Developing a Picture of the Snappening
- Losing Your Device with Find My iPhone
- Leaking Your Most Important Information with Heartbleed
- Suffering from Shellshock
- Accessing APIs Safely from JavaScript
- Verifying API Security
- Testing Inputs and Outputs
- Keeping Data Localized and Secure
- Coding Defensively
- Differentiating Between APIs and Libraries
- 8. Considering the Use of Microservices
- Defining Microservices
- Specifying Microservice Characteristics
- Differentiating Microservices and Libraries
- Differentiating Microservices and APIs
- Considering Microservice Politics
- Making Microservice Calls Using JavaScript
- Understanding the Role of REST in Communication
- Transmitting Data Using JSON
- Creating a Microservice Using Node.js and Seneca
- Defining the Security Threats Posed by Microservices
- Lack of Consistency
- Considering the Role of the Virtual Machine
- Using JSON for Data Transfers
- Considering the dangers of eval()
- Defending against cross-site request forgery
- Defining Transport Layer Security
- Creating Alternate Microservice Paths
- Defining Microservices
- III. Creating Useful and Efficient Testing Strategies
- 9. Thinking Like a Hacker
- Defining a Need for Web Security Scans
- Building a Testing System
- Considering the Test System Uses
- Getting the Required Training
- Creating the Right Environment
- Using Virtual Machines
- Getting the Tools
- Configuring the System
- Restoring the System
- Defining the Most Common Breach Sources
- Avoiding SQL Injection Attacks
- Understanding Cross-Site Scripting
- Tackling Denial-of-Service Issues
- Nipping Predictable Resource Location
- Overcoming Unintentional Information Disclosure
- Testing in a BYOD Environment
- Configuring a Remote Access Zone
- Checking for Cross-Application Hacks
- Dealing with Really Ancient Equipment and Software
- Relying on User Testing
- Letting the User Run Amok
- Developing Reproducible Steps
- Giving the User a Voice
- Using Outside Security Testers
- Considering the Penetration Testing Company
- Managing the Project
- Covering the Essentials
- Getting the Report
- 10. Creating an API Safety Zone
- Understanding the Concept of an API Safety Zone
- Defining the Need for an API Safety Zone
- Ensuring Your API Works
- Enabling Rapid Development
- Certifying the Best Possible Integration
- Sandboxing integration testing
- Virtualizing integration testing
- Mocking for integration testing
- Integrating using API virtualization
- Verifying the API Behaves Under Load
- Keeping the API Safe from Hackers
- Developing with an API Sandbox
- Using an Off-the-Shelf Solution
- Using Other Vendors Sandboxes
- Considering Virtual Environments
- Defining the Virtual Environment
- Differentiating Virtual Environments and Sandboxing
- Implementing Virtualization
- Relying on Application Virtualization
- 11. Checking Libraries and APIs for Holes
- Creating a Testing Plan
- Considering Goals and Objectives
- Defining the goals
- Testing performance
- Testing usability
- Testing platform type
- Implementing testing principles
- Understanding testing limitations
- Testing Internal Libraries
- Testing Internal APIs
- Testing External Libraries
- Testing External APIs
- Extending Testing to Microservices
- Considering Goals and Objectives
- Testing Libraries and APIs Individually
- Creating a Test Harness for Libraries
- Creating Testing Scripts for APIs
- Extending Testing Strategies to Microservices
- Developing Response Strategies
- Relying on direct results
- Relying on mocked results
- Performing Integration Testing
- Testing for Language-Specific Issues
- Devising Tests for HTML Issues
- Devising Tests for CSS Issues
- Devising Tests for JavaScript Issues
- Creating a Testing Plan
- 12. Using Third-Party Testing
- Locating Third-Party Testing Services
- Defining the Reasons for Hiring the Third Party
- Considering the Range of Possible Testing Services
- Ensuring the Third Party Is Legitimate
- Interviewing the Third Party
- Performing Tests on a Test Setup
- Creating a Testing Plan
- Specifying the Third-Party Goals in Testing
- Generating a Written Test Plan
- Enumerating the Test Output and Reporting Requirements
- Considering Test Requirements
- Implementing a Testing Plan
- Determining Organizational Participation in Testing
- Beginning the Testing Process
- Performing Required Test Monitoring
- Handling Unexpected Testing Issues
- Using the Resulting Reports
- Discussing the Report Output with the Third Party
- Presenting the Report to the Organization
- Acting on Testing Recommendations
- Locating Third-Party Testing Services
- IV. Implementing a Maintenance Cycle
- 13. Clearly Defining Upgrade Cycles
- Developing a Detailed Upgrade Cycle Plan
- Looking for Upgrades
- Determining Upgrade Requirements
- Defining Upgrade Criticality
- Checking Upgrades for Issues
- Creating Test Scenarios
- Implementing the Changes
- Creating an Upgrade Testing Schedule
- Performing the Required Pre-Testing
- Performing the Required Integration Testing
- Moving an Upgrade to Production
- Developing a Detailed Upgrade Cycle Plan
- 14. Considering Update Options
- Differentiating Between Upgrades and Updates
- Determining When to Update
- Working Through Library Updates
- Dealing with third-party library updates
- Developing in-house library updates
- Working Through API and Microservice Updates
- Dealing with third-party API and microservice updates
- Developing in-house API and microservice updates
- Accepting Automatic Updates
- Working Through Library Updates
- Updating Language Suites
- Creating a Supported Language List
- Obtaining Reliable Language Specialists
- Verifying the Language-Specific Prompts Work with the Application
- Ensuring Data Appears in the Correct Format
- Defining the Special Requirements for Language Support Testing
- Performing Emergency Updates
- Avoiding Emergencies When Possible
- Creating a Fast Response Team
- Performing Simplified Testing
- Creating a Permanent Update Schedule
- Creating an Update Testing Schedule
- 15. Considering the Need for Reports
- Using Reports to Make Changes
- Avoiding Useless Reports
- Timing Reports to Upgrades and Updates
- Using Automatically Generated Reports
- Using Custom Reports
- Developing reports by hand
- Developing reports from readily available data sources
- Creating Consistent Reports
- Using Reports to Perform Specific Application Tasks
- Creating Internal Reports
- Determining Which Data Sources to Use
- Specifying Report Uses
- Relying on Externally Generated Reports
- Obtaining Completed Reports from Third Parties
- Developing Reports from Raw Data
- Keeping Internal Data Secure
- Providing for User Feedback
- Obtaining User Feedback
- Determining the Usability of User Feedback
- Using Reports to Make Changes
- V. Locating Security Resources
- 16. Tracking Current Security Threats
- Developing Sources for Security Threat Information
- Reading Security-Related Articles by Experts
- Checking Security Sites
- Getting Input from Consultants
- Avoiding Information Overload
- Creating a Plan for Upgrades Based on Threats
- Anticipating Situations that Require No Action at All
- Deciding Between an Upgrade or an Update
- Defining an Upgrade Plan
- Creating a Plan for Updates Based on Threats
- Verifying Updates Address Threats
- Determining Whether the Threat Is an Emergency
- Defining an Update Plan
- Asking for Updates from Third Parties
- Developing Sources for Security Threat Information
- 17. Getting Required Training
- Creating an In-House Security Training Plan
- Defining Needed Training
- Setting Reasonable Goals
- Using In-House Trainers
- Monitoring the Results
- Obtaining Third-Party Training for Developers
- Specifying the Training Requirements
- Hiring a Third-Party Trainer for Your Organization
- Using Online Schools
- Relying on Training Centers
- Using Local Colleges and Universities
- Ensuring Users Are Security Aware
- Making Security Training Specific
- Combining Training with Written Guides
- Creating and Using Alternative Security Reminders
- Holding Training Effectiveness Checks
- Creating an In-House Security Training Plan
- Index