Security for Web Developers. Using JavaScript, HTML, and CSS John Paul Mueller

Spis treści książki

• Preface
  • About This Book
  • What You Need to Know
  • Development Environment Considerations
  • Icons Used in This Book
  • Conventions Used in This Book
  • Where to Get More Information
  • Using Code Examples
  • Safari Books Online
  • How to Contact Us
  • Acknowledgments
• I. Developing a Security Plan
• 1. Defining the Application Environment
  • Specifying Web Application Threats
  • Understanding Software Security Assurance (SSA)
    • Considering the OSSAP
    • Defining SSA Requirements
    • Categorizing Data and Resources
    • Performing the Required Analysis
      • Logic
      • Data
      • Interface
      • Constraint
  • Delving into Language-Specific Issues
    • Defining the Key HTML Issues
    • Defining the Key CSS Issues
    • Defining the Key JavaScript Issues
  • Considering Endpoint Defense Essentials
    • Preventing Security Breaches
    • Detecting Security Breaches
    • Remediating Broken Software
  • Dealing with Cloud Storage
  • Using External Code and Resources
    • Defining the Use of Libraries
    • Defining the Use of APIs
    • Defining the Use of Microservices
    • Accessing External Data
  • Allowing Access by Others
• 2. Embracing User Needs and Expectations
  • Developing a User View of the Application
  • Considering Bring Your Own Device (BYOD) Issues
    • Understanding Web-Based Application Security
    • Considering Native App Issues
    • Using Custom Browsers
    • Verifying Code Compatibility Issues
    • Handling Nearly Continuous Device Updates
  • Devising Password Alternatives
    • Working with Passphrases
    • Using Biometric Solutions
    • Relying on Key Cards
    • Relying on USB Keys
    • Implementing a Token Strategy
  • Focusing on User Expectations
    • Making the Application Easy to Use
    • Making the Application Fast
    • Creating a Reliable Environment
    • Keeping Security in Perspective
• 3. Getting Third-Party Assistance
  • Discovering Third-Party Security Solutions
  • Considering Cloud Security Solutions
    • Understanding Data Repositories
    • Dealing with File Sharing Issues
    • Considering Cloud Storage
  • Choosing Between Product Types
    • Working with Libraries
    • Accessing APIs
    • Considering Microservices
• II. Applying Successful Coding Practices
• 4. Developing Successful Interfaces
  • Assessing the User Interface
    • Creating a Clear Interface
    • Making Interfaces Flexible
    • Providing User Aids
    • Defining the Accessibility Issues
  • Providing Controlled Choices
  • Choosing a User Interface Solution Level
    • Implementing Standard HTML Controls
    • Working with CSS Controls
    • Creating Controls Using JavaScript
      • Relying on client controls
      • Relying on server controls
  • Validating the Input
    • Allowing Specific Input Only
    • Looking for Sneaky Inputs
    • Requesting New Input
    • Using Both Client-Side and Server-Side Validation
  • Expecting the Unexpected
• 5. Building Reliable Code
  • Differentiating Reliability and Security
    • Defining the Roles of Reliability and Security
    • Avoiding Security Holes in Reliable Code
    • Focusing on Application Functionality
  • Developing Team Protocols
  • Creating a Lessons Learned Feedback Loop
  • Considering Issues of Packaged Solutions
    • Dealing with External Libraries
    • Dealing with External APIs
    • Working with Frameworks
    • Calling into Microservices
• 6. Incorporating Libraries
  • Considering Library Uses
    • Enhancing CSS with Libraries
    • Interacting with HTML Using Libraries
    • Extending JavaScript with Libraries
  • Differentiating Between Internally Stored and Externally Stored Libraries
  • Defining the Security Threats Posed by Libraries
    • Enabling Strict Mode
    • Developing a Content Security Policy (CSP)
  • Incorporating Libraries Safely
    • Researching the Library Fully
    • Defining the Precise Library Uses
    • Keeping Library Size Small and Content Focused
    • Performing the Required Testing
  • Differentiating Between Libraries and Frameworks
• 7. Using APIs with Care
  • Differentiating Between APIs and Libraries
    • Considering the Differences in Popularity
    • Defining the Differences in Usage
  • Extending JavaScript Using APIs
    • Locating Appropriate APIs
    • Creating a Simple Example
  • Defining the Security Threats Posed by APIs
    • Ruining Your Good Name with MailPoet
    • Developing a Picture of the Snappening
    • Losing Your Device with Find My iPhone
    • Leaking Your Most Important Information with Heartbleed
    • Suffering from Shellshock
  • Accessing APIs Safely from JavaScript
    • Verifying API Security
    • Testing Inputs and Outputs
    • Keeping Data Localized and Secure
    • Coding Defensively
• 8. Considering the Use of Microservices
  • Defining Microservices
    • Specifying Microservice Characteristics
    • Differentiating Microservices and Libraries
    • Differentiating Microservices and APIs
    • Considering Microservice Politics
  • Making Microservice Calls Using JavaScript
    • Understanding the Role of REST in Communication
    • Transmitting Data Using JSON
    • Creating a Microservice Using Node.js and Seneca
  • Defining the Security Threats Posed by Microservices
    • Lack of Consistency
    • Considering the Role of the Virtual Machine
    • Using JSON for Data Transfers
      • Considering the dangers of eval()
      • Defending against cross-site request forgery
    • Defining Transport Layer Security
  • Creating Alternate Microservice Paths
• III. Creating Useful and Efficient Testing Strategies
• 9. Thinking Like a Hacker
  • Defining a Need for Web Security Scans
  • Building a Testing System
    • Considering the Test System Uses
    • Getting the Required Training
    • Creating the Right Environment
    • Using Virtual Machines
    • Getting the Tools
    • Configuring the System
    • Restoring the System
  • Defining the Most Common Breach Sources
    • Avoiding SQL Injection Attacks
    • Understanding Cross-Site Scripting
    • Tackling Denial-of-Service Issues
    • Nipping Predictable Resource Location
    • Overcoming Unintentional Information Disclosure
  • Testing in a BYOD Environment
    • Configuring a Remote Access Zone
    • Checking for Cross-Application Hacks
    • Dealing with Really Ancient Equipment and Software
  • Relying on User Testing
    • Letting the User Run Amok
    • Developing Reproducible Steps
    • Giving the User a Voice
  • Using Outside Security Testers
    • Considering the Penetration Testing Company
    • Managing the Project
    • Covering the Essentials
    • Getting the Report
• 10. Creating an API Safety Zone
  • Understanding the Concept of an API Safety Zone
  • Defining the Need for an API Safety Zone
    • Ensuring Your API Works
    • Enabling Rapid Development
    • Certifying the Best Possible Integration
      • Sandboxing integration testing
      • Virtualizing integration testing
      • Mocking for integration testing
      • Integrating using API virtualization
    • Verifying the API Behaves Under Load
    • Keeping the API Safe from Hackers
  • Developing with an API Sandbox
    • Using an Off-the-Shelf Solution
    • Using Other Vendors Sandboxes
  • Considering Virtual Environments
    • Defining the Virtual Environment
    • Differentiating Virtual Environments and Sandboxing
    • Implementing Virtualization
    • Relying on Application Virtualization
• 11. Checking Libraries and APIs for Holes
  • Creating a Testing Plan
    • Considering Goals and Objectives
      • Defining the goals
      • Testing performance
      • Testing usability
      • Testing platform type
      • Implementing testing principles
      • Understanding testing limitations
    • Testing Internal Libraries
    • Testing Internal APIs
    • Testing External Libraries
    • Testing External APIs
    • Extending Testing to Microservices
  • Testing Libraries and APIs Individually
    • Creating a Test Harness for Libraries
    • Creating Testing Scripts for APIs
    • Extending Testing Strategies to Microservices
    • Developing Response Strategies
      • Relying on direct results
      • Relying on mocked results
  • Performing Integration Testing
  • Testing for Language-Specific Issues
    • Devising Tests for HTML Issues
    • Devising Tests for CSS Issues
    • Devising Tests for JavaScript Issues
• 12. Using Third-Party Testing
  • Locating Third-Party Testing Services
    • Defining the Reasons for Hiring the Third Party
    • Considering the Range of Possible Testing Services
    • Ensuring the Third Party Is Legitimate
    • Interviewing the Third Party
    • Performing Tests on a Test Setup
  • Creating a Testing Plan
    • Specifying the Third-Party Goals in Testing
    • Generating a Written Test Plan
    • Enumerating the Test Output and Reporting Requirements
    • Considering Test Requirements
  • Implementing a Testing Plan
    • Determining Organizational Participation in Testing
    • Beginning the Testing Process
    • Performing Required Test Monitoring
    • Handling Unexpected Testing Issues
  • Using the Resulting Reports
    • Discussing the Report Output with the Third Party
    • Presenting the Report to the Organization
    • Acting on Testing Recommendations
• IV. Implementing a Maintenance Cycle
• 13. Clearly Defining Upgrade Cycles
  • Developing a Detailed Upgrade Cycle Plan
    • Looking for Upgrades
    • Determining Upgrade Requirements
    • Defining Upgrade Criticality
    • Checking Upgrades for Issues
    • Creating Test Scenarios
    • Implementing the Changes
  • Creating an Upgrade Testing Schedule
    • Performing the Required Pre-Testing
    • Performing the Required Integration Testing
  • Moving an Upgrade to Production
• 14. Considering Update Options
  • Differentiating Between Upgrades and Updates
  • Determining When to Update
    • Working Through Library Updates
      • Dealing with third-party library updates
      • Developing in-house library updates
    • Working Through API and Microservice Updates
      • Dealing with third-party API and microservice updates
      • Developing in-house API and microservice updates
    • Accepting Automatic Updates
  • Updating Language Suites
    • Creating a Supported Language List
    • Obtaining Reliable Language Specialists
    • Verifying the Language-Specific Prompts Work with the Application
    • Ensuring Data Appears in the Correct Format
    • Defining the Special Requirements for Language Support Testing
  • Performing Emergency Updates
    • Avoiding Emergencies When Possible
    • Creating a Fast Response Team
    • Performing Simplified Testing
    • Creating a Permanent Update Schedule
  • Creating an Update Testing Schedule
• 15. Considering the Need for Reports
  • Using Reports to Make Changes
    • Avoiding Useless Reports
    • Timing Reports to Upgrades and Updates
    • Using Automatically Generated Reports
    • Using Custom Reports
      • Developing reports by hand
      • Developing reports from readily available data sources
    • Creating Consistent Reports
    • Using Reports to Perform Specific Application Tasks
  • Creating Internal Reports
    • Determining Which Data Sources to Use
    • Specifying Report Uses
  • Relying on Externally Generated Reports
    • Obtaining Completed Reports from Third Parties
    • Developing Reports from Raw Data
    • Keeping Internal Data Secure
  • Providing for User Feedback
    • Obtaining User Feedback
    • Determining the Usability of User Feedback
• V. Locating Security Resources
• 16. Tracking Current Security Threats
  • Developing Sources for Security Threat Information
    • Reading Security-Related Articles by Experts
    • Checking Security Sites
    • Getting Input from Consultants
  • Avoiding Information Overload
  • Creating a Plan for Upgrades Based on Threats
    • Anticipating Situations that Require No Action at All
    • Deciding Between an Upgrade or an Update
    • Defining an Upgrade Plan
  • Creating a Plan for Updates Based on Threats
    • Verifying Updates Address Threats
    • Determining Whether the Threat Is an Emergency
    • Defining an Update Plan
    • Asking for Updates from Third Parties
• 17. Getting Required Training
  • Creating an In-House Security Training Plan
    • Defining Needed Training
    • Setting Reasonable Goals
    • Using In-House Trainers
    • Monitoring the Results
  • Obtaining Third-Party Training for Developers
    • Specifying the Training Requirements
    • Hiring a Third-Party Trainer for Your Organization
    • Using Online Schools
    • Relying on Training Centers
    • Using Local Colleges and Universities
  • Ensuring Users Are Security Aware
    • Making Security Training Specific
    • Combining Training with Written Guides
    • Creating and Using Alternative Security Reminders
    • Holding Training Effectiveness Checks
• Index

pokaż cały spis treści

ukryj recenzje