Security for Web Developers - Using JavaScript, HTML, and CSS

As a web developer, you may not want to spend time making your web app secure, but it definitely comes with the territory. This practical guide provides you with the latest information on how to thwart security threats at several levels, including new areas such as microservices. You’ll learn how to help protect your app no matter where it runs, from the latest smartphone to an older desktop, and everything in between.Author John Paul Mueller delivers specific advice as well as several security programming examples for developers with a good knowledge of CSS3, HTML5, and JavaScript. In five separate sections, this book shows you how to protect against viruses, DDoS attacks, security breaches, and other nasty intrusions.Create a security plan for your organization that takes the latest devices and user needs into accountDevelop secure interfaces, and safely incorporate third-party code from libraries, APIs, and microservicesUse sandboxing techniques, in-house and third-party testing techniques, and learn to think like a hackerImplement a maintenance cycle by determining when and how to update your application softwareLearn techniques for efficiently tracking security threats as well as training requirements that your organization can use\*\*About the AuthorJohn Paul Mueller is a technical editor and freelance author who has written on topics ranging from database management to heads-down programming, from networking to artificial intelligence. He is the author of Start Here!TM Learn Microsoft Visual C#® 2010. Copyright 4 Table of Contents 7 Preface 17 About This Book 17 What You Need to Know 19 Development Environment Considerations 19 Icons Used in This Book 20 Conventions Used in This Book 20 Where to Get More Information 21 Using Code Examples 21 Safari® Books Online 22 How to Contact Us 22 Acknowledgments 23 Part I. Developing a Security Plan 25 Chapter 1. Defining the Application Environment 27 Specifying Web Application Threats 28 Understanding Software Security Assurance (SSA) 33 Considering the OSSAP 33 Defining SSA Requirements 35 Categorizing Data and Resources 36 Performing the Required Analysis 37 Delving into Language-Specific Issues 40 Defining the Key HTML Issues 40 Defining the Key CSS Issues 41 Defining the Key JavaScript Issues 42 Considering Endpoint Defense Essentials 43 Preventing Security Breaches 43 Detecting Security Breaches 44 Remediating Broken Software 45 Dealing with Cloud Storage 46 Using External Code and Resources 48 Defining the Use of Libraries 48 Defining the Use of APIs 50 Defining the Use of Microservices 51 Accessing External Data 53 Allowing Access by Others 54 Chapter 2. Embracing User Needs and Expectations 57 Developing a User View of the Application 57 Considering Bring Your Own Device (BYOD) Issues 59 Understanding Web-Based Application Security 60 Considering Native App Issues 61 Using Custom Browsers 62 Verifying Code Compatibility Issues 64 Handling Nearly Continuous Device Updates 67 Devising Password Alternatives 68 Working with Passphrases 69 Using Biometric Solutions 70 Relying on Key Cards 72 Relying on USB Keys 73 Implementing a Token Strategy 74 Focusing on User Expectations 75 Making the Application Easy to Use 75 Making the Application Fast 75 Creating a Reliable Environment 76 Keeping Security in Perspective 76 Chapter 3. Getting Third-Party Assistance 79 Discovering Third-Party Security Solutions 80 Considering Cloud Security Solutions 82 Understanding Data Repositories 83 Dealing with File Sharing Issues 85 Considering Cloud Storage 88 Choosing Between Product Types 89 Working with Libraries 90 Accessing APIs 91 Considering Microservices 92 Part II. Applying Successful Coding Practices 95 Chapter 4. Developing Successful Interfaces 97 Assessing the User Interface 98 Creating a Clear Interface 98 Making Interfaces Flexible 101 Providing User Aids 104 Defining the Accessibility Issues 105 Providing Controlled Choices 108 Choosing a User Interface Solution Level 112 Implementing Standard HTML Controls 112 Working with CSS Controls 112 Creating Controls Using JavaScript 115 Validating the Input 116 Allowing Specific Input Only 116 Looking for Sneaky Inputs 117 Requesting New Input 118 Using Both Client-Side and Server-Side Validation 118 Expecting the Unexpected 119 Chapter 5. Building Reliable Code 121 Differentiating Reliability and Security 122 Defining the Roles of Reliability and Security 123 Avoiding Security Holes in Reliable Code 126 Focusing on Application Functionality 127 Developing Team Protocols 128 Creating a Lessons Learned Feedback Loop 131 Considering Issues of Packaged Solutions 133 Dealing with External Libraries 133 Dealing with External APIs 135 Working with Frameworks 137 Calling into Microservices 140 Chapter 6. Incorporating Libraries 143 Considering Library Uses 144 Enhancing CSS with Libraries 144 Interacting with HTML Using Libraries 147 Extending JavaScript with Libraries 149 Differentiating Between Internally Stored and Externally Stored Libraries 151 Defining the Security Threats Posed by Libraries 152 Enabling Strict Mode 154 Developing a Content Security Policy (CSP) 157 Incorporating Libraries Safely 158 Researching the Library Fully 159 Defining the Precise Library Uses 160 Keeping Library Size Small and Content Focused 160 Performing the Required Testing 162 Differentiating Between Libraries and Frameworks 162 Chapter 7. Using APIs with Care 167 Differentiating Between APIs and Libraries 168 Considering the Differences in Popularity 168 Defining the Differences in Usage 169 Extending JavaScript Using APIs 171 Locating Appropriate APIs 171 Creating a Simple Example 172 Defining the Security Threats Posed by APIs 177 Ruining Your Good Name with MailPoet 177 Developing a Picture of the Snappening 178 Losing Your Device with Find My iPhone 179 Leaking Your Most Important Information with Heartbleed 179 Suffering from Shellshock 180 Accessing APIs Safely from JavaScript 180 Verifying API Security 180 Testing Inputs and Outputs 181 Keeping Data Localized and Secure 182 Coding Defensively 183 Chapter 8. Considering the Use of Microservices 185 Defining Microservices 186 Specifying Microservice Characteristics 186 Differentiating Microservices and Libraries 187 Differentiating Microservices and APIs 188 Considering Microservice Politics 188 Making Microservice Calls Using JavaScript 190 Understanding the Role of REST in Communication 191 Transmitting Data Using JSON 192 Creating a Microservice Using Node.js and Seneca 193 Defining the Security Threats Posed by Microservices 195 Lack of Consistency 196 Considering the Role of the Virtual Machine 196 Using JSON for Data Transfers 197 Defining Transport Layer Security 199 Creating Alternate Microservice Paths 200 Part III. Creating Useful and Efficient Testing Strategies 201 Chapter 9. Thinking Like a Hacker 203 Defining a Need for Web Security Scans 204 Building a Testing System 208 Considering the Test System Uses 208 Getting the Required Training 209 Creating the Right Environment 210 Using Virtual Machines 210 Getting the Tools 211 Configuring the System 212 Restoring the System 212 Defining the Most Common Breach Sources 213 Avoiding SQL Injection Attacks 214 Understanding Cross-Site Scripting 215 Tackling Denial-of-Service Issues 216 Nipping Predictable Resource Location 217 Overcoming Unintentional Information Disclosure 217 Testing in a BYOD Environment 218 Configuring a Remote Access Zone 219 Checking for Cross-Application Hacks 220 Dealing with Really Ancient Equipment and Software 221 Relying on User Testing 222 Letting the User Run Amok 222 Developing Reproducible Steps 223 Giving the User a Voice 224 Using Outside Security Testers 224 Considering the Penetration Testing Company 225 Managing the Project 226 Covering the Essentials 226 Getting the Report 227 Chapter 10. Creating an API Safety Zone 229 Understanding the Concept of an API Safety Zone 230 Defining the Need for an API Safety Zone 231 Ensuring Your API Works 232 Enabling Rapid Development 232 Certifying the Best Possible Integration 233 Verifying the API Behaves Under Load 240 Keeping the API Safe from Hackers 241 Developing with an API Sandbox 241 Using an Off-the-Shelf Solution 243 Using Other Vendors’ Sandboxes 245 Considering Virtual Environments 247 Defining the Virtual Environment 247 Differentiating Virtual Environments and Sandboxing 248 Implementing Virtualization 249 Relying on Application Virtualization 249 Chapter 11. Checking Libraries and APIs for Holes 251 Creating a Testing Plan 252 Considering Goals and Objectives 253 Testing Internal Libraries 261 Testing Internal APIs 262 Testing External Libraries 262 Testing External APIs 263 Extending Testing to Microservices 264 Testing Libraries and APIs Individually 264 Creating a Test Harness for Libraries 264 Creating Testing Scripts for APIs 265 Extending Testing Strategies to Microservices 266 Developing Response Strategies 266 Performing Integration Testing 267 Testing for Language-Specific Issues 268 Devising Tests for HTML Issues 269 Devising Tests for CSS Issues 269 Devising Tests for JavaScript Issues 270 Chapter 12. Using Third-Party Testing 273 Locating Third-Party Testing Services 274 Defining the Reasons for Hiring the Third Party 274 Considering the Range of Possible Testing Services 276 Ensuring the Third Party Is Legitimate 278 Interviewing the Third Party 279 Performing Tests on a Test Setup 279 Creating a Testing Plan 279 Specifying the Third-Party Goals in Testing 280 Generating a Written Test Plan 280 Enumerating the Test Output and Reporting Requirements 281 Considering Test Requirements 281 Implementing a Testing Plan 282 Determining Organizational Participation in Testing 282 Beginning the Testing Process 283 Performing Required Test Monitoring 283 Handling Unexpected Testing Issues 284 Using the Resulting Reports 284 Discussing the Report Output with the Third Party 284 Presenting the Report to the Organization 285 Acting on Testing Recommendations 286 Part IV. Implementing a Maintenance Cycle 287 Chapter 13. Clearly Defining Upgrade Cycles 289 Developing a Detailed Upgrade Cycle Plan 289 Looking for Upgrades 291 Determining Upgrade Requirements 292 Defining Upgrade Criticality 294 Checking Upgrades for Issues 296 Creating Test Scenarios 298 Implementing the Changes 299 Creating an Upgrade Testing Schedule 299 Performing the Required Pre-Testing 299 Performing the Required Integration Testing 301 Moving an Upgrade to Production 301 Chapter 14. Considering Update Options 305 Differentiating Between Upgrades and Updates 306 Determining When to Update 307 Working Through Library Updates 308 Working Through API and Microservice Updates 309 Accepting Automatic Updates 311 Updating Language Suites 312 Creating a Supported Language List 312 Obtaining Reliable Language Specialists 314 Verifying the Language-Specific Prompts Work with the Application 315 Ensuring Data Appears in the Correct Format 315 Defining the Special Requirements for Language Support Testing 316 Performing Emergency Updates 317 Avoiding Emergencies When Possible 317 Creating a Fast Response Team 317 Performing Simplified Testing 318 Creating a Permanent Update Schedule 318 Creating an Update Testing Schedule 319 Chapter 15. Considering the Need for Reports 321 Using Reports to Make Changes 322 Avoiding Useless Reports 322 Timing Reports to Upgrades and Updates 324 Using Automatically Generated Reports 325 Using Custom Reports 325 Creating Consistent Reports 327 Using Reports to Perform Specific Application Tasks 328 Creating Internal Reports 328 Determining Which Data Sources to Use 329 Specifying Report Uses 330 Relying on Externally Generated Reports 331 Obtaining Completed Reports from Third Parties 331 Developing Reports from Raw Data 332 Keeping Internal Data Secure 332 Providing for User Feedback 332 Obtaining User Feedback 333 Determining the Usability of User Feedback 334 Part V. Locating Security Resources 337 Chapter 16. Tracking Current Security Threats 339 Developing Sources for Security Threat Information 340 Reading Security-Related Articles by Experts 341 Checking Security Sites 342 Getting Input from Consultants 345 Avoiding Information Overload 346 Creating a Plan for Upgrades Based on Threats 347 Anticipating Situations that Require No Action at All 347 Deciding Between an Upgrade or an Update 348 Defining an Upgrade Plan 350 Creating a Plan for Updates Based on Threats 351 Verifying Updates Address Threats 352 Determining Whether the Threat Is an Emergency 353 Defining an Update Plan 354 Asking for Updates from Third Parties 354 Chapter 17. Getting Required Training 355 Creating an In-House Security Training Plan 356 Defining Needed Training 357 Setting Reasonable Goals 358 Using In-House Trainers 359 Monitoring the Results 360 Obtaining Third-Party Training for Developers 362 Specifying the Training Requirements 363 Hiring a Third-Party Trainer for Your Organization 364 Using Online Schools 365 Relying on Training Centers 365 Using Local Colleges and Universities 366 Ensuring Users Are Security Aware 366 Making Security Training Specific 367 Combining Training with Written Guides 367 Creating and Using Alternative Security Reminders 368 Holding Training Effectiveness Checks 369 Index 371 About the Author 381 www.it-ebooks.info As a web developer, you may not want to spend time making your web app secure, but it definitely comes with the territory. This practical guide provides you with the latest information on how to thwart security threats at several levels, including new areas such as microservices. You ll learn how to help protect your app no matter where it runs, from the latest smartphone to an older desktop, and everything in between. Author John Paul Mueller delivers specific advice as well as several security programming examples for developers with a good knowledge of CSS3, HTML5, and JavaScript. In five separate sections, this book shows you how to protect against viruses, DDoS attacks, security breaches, and other nasty intrusions.Create a security plan for your organization that takes the latest devices and user needs into accountDevelop secure interfaces, and safely incorporate third-party code from libraries, APIs, and microservicesUse sandboxing techniques, in-house and third-party testing techniques, and learn to think like a hackerImplement a maintenance cycle by determining when and how to update your application softwareLearn techniques for efficiently tracking security threats as well as training requirements that your organization can use" Annotation Some books give you good advice, but only about part of the security problem. Others provide solutions so generic that they aren't truly useful. Unfortunately, attacking only part of the problem leaves you open to hacking or other security issues. And general advice no longer meets current security needs. This practical book provides specific advice for the HTML5, JavaScript, and CSS developer on all areas of security, including new areas not found in any other book, such as microservices. You'll get a complete view of security changes needed to protect an application and keep its data safe