Identity and Data Security for Web Development
by Jonathan LeBlanc and Tim Messerschmidt
Copyright 2016 Jonathan LeBlanc, Tim Messerschmidt. All rights reserved.
Printed in the United States of America.
Published by OReilly Media, Inc. , 1005 Gravenstein Highway North, Sebastopol, CA 95472.
OReilly books may be purchased for educational, business, or sales promotional use. Online editions are also available for most titles (http://safaribooksonline.com). For more information, contact our corporate/institutional sales department: 800-998-9938 or corporate@oreilly.com.
- Editor: Meg Foley
- Production Editor: Colleen Cole
- Copyeditor: Kim Cofer
- Proofreader: Sharon Wilkey
- Indexer: WordCo Indexing Services, Inc.
- Interior Designer: David Futato
- Cover Designer: Karen Montgomery
- Illustrator: Rebecca Demarest
Revision History for the First Edition
- 2016-06-03: First Release
See http://oreilly.com/catalog/errata.csp?isbn=9781491937013 for release details.
The OReilly logo is a registered trademark of OReilly Media, Inc. Identity and Data Security for Web Development, the cover image, and related trade dress are trademarks of OReilly Media, Inc.
While the publisher and the authors have used good faith efforts to ensure that the information and instructions contained in this work are accurate, the publisher and the authors disclaim all responsibility for errors or omissions, including without limitation responsibility for damages resulting from the use of or reliance on this work. Use of the information and instructions contained in this work is at your own risk. If any code samples or other technology this work contains or describes is subject to open source licenses or the intellectual property rights of others, it is your responsibility to ensure that your use thereof complies with such licenses and/or rights.
978-1-491-93701-3
[LSI]
Preface
Companies Lose $400 Billion to Hackers Each Year
Inc. Magazine
A cybersecurity market report issued by Cybersecurity Ventures in Q4 of 2015 stated that cyber attacks are costing businesses between $400 and $500 billion a year. In the same thread, IT security spending is due to increase by 4.7% in 2015 to $75.4 billion USD, with an estimate that the world will spend upward of $101 billion in information security in 2018, and grow to $170 billion in 2020. Therefore, a cybersecurity workforce shortage of 1.5 million people is projected by 2019, as demand is expected to rise to 6 million that year.
As web and application developers, designers, engineers, and creators, we are no longer living in an age where we can offload the knowledge of identity and data security to someone else. By not understanding how to properly obscure data in transmission, a web developer can unwittingly open up a security flaw on a site. A project manager can cause a major attack vector to open up in an application by not understanding that previously secure password algorithms have been shown to now include flaws, and by not prioritizing the work on rehashing the database of user records. It is now the business of every person working on a system to take part in ensuring that users and data are protected.
Despite this awareness, it seems like every week we have new cases of companies, from startups to massive corporations, losing privileged user information, credit card data, medical records, and many other pieces of information that they are entrusted to protect. It has come to light that many of these same organizations never took the time to encrypt data properly, storing everything in plain text, just waiting for some hacker to abuse it.
The true problem is that hacking is no longer just the business of individuals wanting to prove that they can breach a system; it is now a realm of organized businesses, hacking for money or to damage the business.
This is where this text comes in. As we explore each chapter and concept, youll learn how to plug holes in existing systems, protect against viable attack vectors, and work in environments that are sometimes naturally insecure. Well look at concepts such as the following:
Understanding the state of web and application security
Building security password encryption, and combating password attack vectors
Creating digital fingerprints to identify users through browser, device, and paired-device detection
Building secure data transmission systems through OAuth and OpenID Connect
Using alternate methods of identification for a second factor of authentication
Hardening your web applications against attack
Creating a secure data transmission system using SSL/TLS and synchronous and asynchronous cryptography
In the end, youll have a comprehensive understanding of the current state of identity and data security, knowing how to protect yourself against potential attacks, and protect our users from having the data that they entrusted to you compromised.
Conventions Used in This Book
The following typographical conventions are used in this book:
ItalicIndicates new terms, URLs, email addresses, filenames, and file extensions.
Constant width
Used for program listings, as well as within paragraphs to refer to program elements such as variable or function names, databases, datatypes, environment variables, statements, and keywords.
Constant width bold
Shows commands or other text that should be typed literally by the user.
Constant width italic
Shows text that should be replaced with user-supplied values or by values determined by context.
Tip
This element signifies a tip or suggestion.
Note
This element signifies a general note.
Warning
This element indicates a warning or caution.
Safari Books Online
Note
Safari Books Online is an on-demand digital library that delivers expert content in both book and video form from the worlds leading authors in technology and business.
Technology professionals, software developers, web designers, and business and creative professionals use Safari Books Online as their primary resource for research, problem solving, learning, and certification training.
Safari Books Online offers a range of plans and pricing for enterprise, government, education, and individuals.
Members have access to thousands of books, training videos, and prepublication manuscripts in one fully searchable database from publishers like OReilly Media, Prentice Hall Professional, Addison-Wesley Professional, Microsoft Press, Sams, Que, Peachpit Press, Focal Press, Cisco Press, John Wiley & Sons, Syngress, Morgan Kaufmann, IBM Redbooks, Packt, Adobe Press, FT Press, Apress, Manning, New Riders, McGraw-Hill, Jones & Bartlett, Course Technology, and hundreds more. For more information about Safari Books Online, please visit us online.
How to Contact Us
Please address comments and questions concerning this book to the publisher:
- OReilly Media, Inc.
- 1005 Gravenstein Highway North
- Sebastopol, CA 95472
- 800-998-9938 (in the United States or Canada)
- 707-829-0515 (international or local)
- 707-829-0104 (fax)
We have a web page for this book, where we list errata, examples, and any additional information. You can access this page at http://bit.ly/identity-and-data-security