• Complain

John Paul Mueller - Security for Web Developers: Using JavaScript, HTML, and CSS

Here you can read online John Paul Mueller - Security for Web Developers: Using JavaScript, HTML, and CSS full text of the book (entire story) in english for free. Download pdf and epub, get meaning, cover and reviews about this ebook. year: 2015, publisher: OReilly Media, genre: Computer. Description of the work, (preface) as well as reviews are available. Best literature library LitArk.com created for fans of good reading and offers a wide selection of genres:

Romance novel Science fiction Adventure Detective Science History Home and family Prose Art Politics Computer Non-fiction Religion Business Children Humor

Choose a favorite category and find really read worthwhile books. Enjoy immersion in the world of imagination, feel the emotions of the characters or learn something new for yourself, make an fascinating discovery.

No cover
  • Book:
    Security for Web Developers: Using JavaScript, HTML, and CSS
  • Author:
  • Publisher:
    OReilly Media
  • Genre:
  • Year:
    2015
  • Rating:
    5 / 5
  • Favourites:
    Add to favourites
  • Your mark:
    • 100
    • 1
    • 2
    • 3
    • 4
    • 5

Security for Web Developers: Using JavaScript, HTML, and CSS: summary, description and annotation

We offer to read an annotation, description, summary or preface (depends on what the author of the book "Security for Web Developers: Using JavaScript, HTML, and CSS" wrote himself). If you haven't found the necessary information about the book — write in the comments, we will try to find it.

Some books give you good advice, but only about part of the security problem. Others provide solutions so generic that they arent truly useful. Unfortunately, attacking only part of the problem leaves you open to hacking or other security issues. And general advice no longer meets current security needs.

This practical book provides specific advice for the HTML5, JavaScript, and CSS developer on all areas of security, including new areas not found in any other book, such as microservices. Youll get a complete view of security changes needed to protect an application and keep its data safe.

  • Understand the real sources of threats to web applications
  • Learn how to use new technologies such as microservices in a safe manner
  • Get information-rich information on third party APIs, libraries, microservices, and other sources of code that you rely on
  • Find solutions that help make the problems smaller, more manageable, and fixable at specific stages of application development

John Paul Mueller: author's other books


Who wrote Security for Web Developers: Using JavaScript, HTML, and CSS? Find out the surname, the name of the author of the book and a list of all author's works by series.

Security for Web Developers: Using JavaScript, HTML, and CSS — read online for free the complete book (whole text) full work

Below is the text of the book, divided by pages. System saving the place of the last page read, allows you to conveniently read the book "Security for Web Developers: Using JavaScript, HTML, and CSS" online for free, without having to search again every time where you left off. Put a bookmark, and you can go to the page where you finished reading at any time.

Light

Font size:

Reset

Interval:

Bookmark:

Make
I

Developing a Security Plan

Defining the Application Environment

Data is the most important resource that any business owns. Its literally possible to replace any part of a business except the data. When the data is modified, corrupted, stolen, or deleted, a business can suffer serious loss. In fact, a business that has enough go wrong with its data can simply cease to exist. The focus of security, therefore, is not hackers, applications, networks, or anything else someone might have told youits data. Therefore, this book is about data security, which encompasses a broad range of other topics, but its important to get right to the point of what youre really looking to protect when you read about these other topics.

Unfortunately, data isnt much use sitting alone in the dark. No matter how fancy your server is, no matter how capable the database that holds the data, the data isnt worth much until you do something with it. The need to manage data brings applications into the picture and the use of applications to manage data is why this introductory chapter talks about the application environment.

However, before you go any further, its important to decide precisely how applications and data interact because the rest of the chapter isnt very helpful without this inside. An application performs just four operations on data, no matter how incredibly complex the application might become. You can define these operations by the CRUD acronym:

Create

Read

Update

Delete

The sections that follow discuss data, applications, and CRUD as they relate to the web environment. You discover how security affects all three aspects of web development, keeping in mind that even though data is the focus, the application performs the required CRUD tasks. Keeping your data safe means understanding the application environment and therefore the threats to the data the application manages.

Specifying Web Application Threats

You can find lists of web application threats all over the Internet. Some of the lists are quite complete and dont necessarily have a bias, some address what the author feels are the most important threats, some lists tell you about the most commonly occurring threats, and you can find all sorts of other lists out there. The problem with all these lists is that the author doesnt know your application. A SQL injection attack is only useful if your application uses SQL in some wayperhaps it doesnt.

Obviously, you need to get ideas on what to check from somewhere and these lists do make a good starting place. However, you need to consider the list content in light of your application. In addition, dont rely on just one listuse multiple lists so that you obtain better coverage of the threats that could possibly threaten your application. With this need in mind, here is a list of the most common threats you see with web applications today:

Buffer Overflow: An attacker manages to send enough data in an input buffer to overflow an application or output buffer. As a result, memory outside the buffer becomes corrupted. Some forms of buffer overflow allow the attacker to perform seemingly impossible tasks because the affected memory contains executable code. The best way to overcome this problem is to perform range and size checks on any data, input or output, that your application handles.

Code Injection: An entity adds code to the data stream flowing between a server and a client (such as a browser). The target often views the added code as part of the original page, but it could contain anything. Of course, the target may not even see the injected code. It might be lurking in the background ready to cause all sorts of problems for your application. A good way to overcome this attack is to ensure you use encrypted data streams, the HTTPS protocol, and code verification (when possible). Providing a client feedback mechanism is also a good idea.

Code injection occurs more often than you might think. In some cases, the code injection isnt even part of an attack, but it might as well be. A recent article (see http://www.infoworld.com/article/2925839/netneutrality/code-injection-new-low-isps.html) discusses how Internet Service Providers (ISPs) are injecting JavaScript code into the data stream in order to overlay ads on top of a page. In order to determine what sort of ad to provide, the ISP also monitors the traffic.

Cross-site Scripting (XSS): An attacker injects JavaScript or other executable code into the output stream of your application. The recipient sees your application as the source of the infection, even when it isnt. In most cases, you dont want to allow users to send data directly to each other through your application without strict verification. A moderated format for applications such as blogs is a must to ensure your application doesnt end up serving viruses or worse along with seemingly benign data.

Few experts remind you to check your output data. However, you dont actually know that your own application is trustworthy. A hacker could modify it to allow tainted output data. Verification checks should include output data as well as input data.

File Uploads: Every file upload, even those that might seem otherwise innocuous, is suspect. If possible, disallow file uploads to your server. Of course, it isnt always possible to provide this level of security, so you need to allow just certain types of file and then scan the file for problems. Authenticating the file as much as is possible is always a good idea. For example, some files contain a signature at the beginning that you can use to ensure the file is legitimate. Dont rely on file extension exclusion alonehackers often make one file look like another type in order to bypass server security.

Hard Coded Authentication: Developers often place authentication information in application initialization files for testing purposes. Its essential to remove these hard coded authentication entries and rely on a centralized data store for security information instead. Keeping the data store in a secure location, off the server used for web applications, is essential to ensuring that hackers cant simply view the credentials used to access the application in certain ways. If you do need initialization files for the application, make sure these files reside outside the webroot directory to ensure that hackers cant discover them accidentally.

Hidden or Restricted File/Directory Discovery: When your application allows input of special characters such as the forward slash (/) or backslash (\), its possible for a hacker to discover hidden or restricted files and directories. These locations can contain all sorts of information that a hacker can find useful in attacking your system. Disallowing use of special characters whenever possible is a great idea. In addition, store critical files outside the webroot directory in locations that the operating system can control directly.

Missing or Incorrect Authentication: Its important to know whom youre dealing with, especially when working with sensitive data. Many web applications rely on common accounts for some tasks, which means its impossible to know who has accessed the account. Avoid using guest accounts for any purpose and assign each user a specific account to use.

Missing or Incorrect Authorization: Even if you know the person youre dealing with, its important to provide only the level of authorization needed to perform a given task. In addition, the authorization should reflect the users method of access. A desktop system accessing the application from the local network is likely more secure than a smartphone accessing the application from the local coffee shop. Relying on security promotion to assist in sensitive tasks lets you maintain minimal rights the rest of the time. Anything you can do to reduce what the user is authorized to do helps maintain a secure environment.

Next page
Light

Font size:

Reset

Interval:

Bookmark:

Make

Similar books «Security for Web Developers: Using JavaScript, HTML, and CSS»

Look at similar books to Security for Web Developers: Using JavaScript, HTML, and CSS. We have selected literature similar in name and meaning in the hope of providing readers with more options to find new, interesting, not yet read works.


Reviews about «Security for Web Developers: Using JavaScript, HTML, and CSS»

Discussion, reviews of the book Security for Web Developers: Using JavaScript, HTML, and CSS and just readers' own opinions. Leave your comments, write what you think about the work, its meaning or the main characters. Specify what exactly you liked and what you didn't like, and why you think so.