Jonathan LeBlanc - Identity and Data Security for Web Development

by Jonathan LeBlanc and Tim Messerschmidt

Copyright 2016 Jonathan LeBlanc, Tim Messerschmidt. All rights reserved.

Printed in the United States of America.

Published by OReilly Media, Inc. , 1005 Gravenstein Highway North, Sebastopol, CA 95472.

OReilly books may be purchased for educational, business, or sales promotional use. Online editions are also available for most titles (http://safaribooksonline.com). For more information, contact our corporate/institutional sales department: 800-998-9938 or corporate@oreilly.com.

• Editor: Meg Foley
• Production Editor: Colleen Cole
• Copyeditor: Kim Cofer
• Proofreader: Sharon Wilkey
• Indexer: WordCo Indexing Services, Inc.
• Interior Designer: David Futato
• Cover Designer: Karen Montgomery
• Illustrator: Rebecca Demarest

• June 2016: First Edition

See http://oreilly.com/catalog/errata.csp?isbn=9781491937013 for release details.

The OReilly logo is a registered trademark of OReilly Media, Inc. Identity and Data Security for Web Development, the cover image, and related trade dress are trademarks of OReilly Media, Inc.

While the publisher and the authors have used good faith efforts to ensure that the information and instructions contained in this work are accurate, the publisher and the authors disclaim all responsibility for errors or omissions, including without limitation responsibility for damages resulting from the use of or reliance on this work. Use of the information and instructions contained in this work is at your own risk. If any code samples or other technology this work contains or describes is subject to open source licenses or the intellectual property rights of others, it is your responsibility to ensure that your use thereof complies with such licenses and/or rights.

978-1-491-93701-3

[LSI]

Companies Lose $400 Billion to Hackers Each Year

Inc. Magazine

A cybersecurity market report issued by Cybersecurity Ventures in Q4 of 2015 stated that cyber attacks are costing businesses between $400 and $500 billion a year. In the same thread, IT security spending is due to increase by 4.7% in 2015 to $75.4 billion USD, with an estimate that the world will spend upward of $101 billion in information security in 2018, and grow to $170 billion in 2020. Therefore, a cybersecurity workforce shortage of 1.5 million people is projected by 2019, as demand is expected to rise to 6 million that year.

As web and application developers, designers, engineers, and creators, we are no longer living in an age where we can offload the knowledge of identity and data security to someone else. By not understanding how to properly obscure data in transmission, a web developer can unwittingly open up a security flaw on a site. A project manager can cause a major attack vector to open up in an application by not understanding that previously secure password algorithms have been shown to now include flaws, and by not prioritizing the work on rehashing the database of user records. It is now the business of every person working on a system to take part in ensuring that users and data are protected.

Despite this awareness, it seems like every week we have new cases of companies, from startups to massive corporations, losing privileged user information, credit card data, medical records, and many other pieces of information that they are entrusted to protect. It has come to light that many of these same organizations never took the time to encrypt data properly, storing everything in plain text, just waiting for some hacker to abuse it.

The true problem is that hacking is no longer just the business of individuals wanting to prove that they can breach a system; it is now a realm of organized businesses, hacking for money or to damage the business.

This is where this text comes in. As we explore each chapter and concept, youll learn how to plug holes in existing systems, protect against viable attack vectors, and work in environments that are sometimes naturally insecure. Well look at concepts such as the following:

• Understanding the state of web and application security

• Building security password encryption, and combating password attack vectors

• Creating digital fingerprints to identify users through browser, device, and paired-device detection

• Building secure data transmission systems through OAuth and OpenID Connect

• Using alternate methods of identification for a second factor of authentication

• Hardening your web applications against attack

• Creating a secure data transmission system using SSL/TLS and synchronous and asynchronous cryptography

In the end, youll have a comprehensive understanding of the current state of identity and data security, knowing how to protect yourself against potential attacks, and protect our users from having the data that they entrusted to you compromised.