Identity and Data Security for Web Development. Best Practices

(ebook) (audiobook) (audiobook)

Autorzy:: Jonathan LeBlanc, Tim Messerschmidt

Identity and Data Security for Web Development. Best Practices Jonathan LeBlanc, Tim Messerschmidt - okładka ebooka

Identity and Data Security for Web Development. Best Practices Jonathan LeBlanc, Tim Messerschmidt - okładka audiobooka MP3

Identity and Data Security for Web Development. Best Practices Jonathan LeBlanc, Tim Messerschmidt - okładka audiobooks CD

Wydawnictwo:: O'Reilly Media (Z chęcią przeczytam książkę w języku polskim)
Ocena:: Bądź pierwszym, który oceni tę książkę
Stron:: 204
Dostępne formaty:: ePub

Mobi

+126 pkt

Ebook (126,65 zł najniższa cena z 30 dni)

~~149,00 zł~~ (-15%)
126,65 zł

Dodaj do koszyka lub Kup na prezent
Kup 1-kliknięciem

( 126,65 zł najniższa cena z 30 dni)

Przenieś na półkę

Do przechowalni

Developers, designers, engineers, and creators can no longer afford to pass responsibility for identity and data security onto others. Web developers who don’t understand how to obscure data in transmission, for instance, can open security flaws on a site without realizing it. With this practical guide, you’ll learn how and why everyone working on a system needs to ensure that users and data are protected.

Authors Jonathan LeBlanc and Tim Messerschmidt provide a deep dive into the concepts, technology, and programming methodologies necessary to build a secure interface for data and identity—without compromising usability. You’ll learn how to plug holes in existing systems, protect against viable attack vectors, and work in environments that sometimes are naturally insecure.

Understand the state of web and application security today
Design security password encryption, and combat password attack vectors
Create digital fingerprints to identify users through browser, device, and paired device detection
Build secure data transmission systems through OAuth and OpenID Connect
Use alternate methods of identification for a second factor of authentication
Harden your web applications against attack
Create a secure data transmission system using SSL/TLS, and synchronous and asynchronous cryptography

Wybrane bestsellery

Ebooka "Identity and Data Security for Web Development. Best Practices" przeczytasz na:

czytnikach Inkbook, Kindle, Pocketbook, Onyx Boox i innych
systemach Windows, MacOS i innych

systemach Windows, Android, iOS, HarmonyOS
na dowolnych urządzeniach i aplikacjach obsługujących formaty: PDF, EPub, Mobi

Masz pytania? Zajrzyj do zakładki Pomoc »

Audiobooka "Identity and Data Security for Web Development. Best Practices" posłuchasz:

w aplikacji Ebookpoint na Android, iOS, HarmonyOs
na systemach Windows, MacOS i innych

na dowolnych urządzeniach
i aplikacjach obsługujących format MP3
(pliki spakowane w ZIP)

Masz pytania? Zajrzyj do zakładki Pomoc »

Kurs Video "Identity and Data Security for Web Development. Best Practices" zobaczysz:

Oceny i opinie klientów: Identity and Data Security for Web Development. Best Practices Jonathan LeBlanc, Tim Messerschmidt (0) Weryfikacja opinii następuję na podstawie historii zamówień na koncie Użytkownika umieszczającego opinię. Użytkownik mógł otrzymać punkty za opublikowanie opinii uprawniające do uzyskania rabatu w ramach Programu Punktowego.

Szczegóły ebooka

ISBN Ebooka:: 978-14-919-3696-2, 9781491936962
Data wydania ebooka:: 2016-06-06 Data wydania ebooka często jest dniem wprowadzenia tytułu do sprzedaży i może nie być równoznaczna z datą wydania książki papierowej. Dodatkowe informacje możesz znaleźć w darmowym fragmencie. Jeśli masz wątpliwości skontaktuj się z nami sklep@ebookpoint.pl.
Język publikacji:: angielski
Rozmiar pliku ePub:: 5.6MB
Rozmiar pliku Mobi:: 11.5MB

Kategorie

Kliknij, aby zgłosić błędnie przypisaną kategorię »

Informatyka » Webmasterstwo » Web Design

Informatyka » Webmasterstwo » Inne

Informatyka » Hacking » Inne

Spis treści ebooka

Preface
- Conventions Used in This Book
- Safari Books Online
- How to Contact Us
- Acknowledgments
  - Jonathan
  - Tim
1. Introduction
- The Problems with Current Security Models
  - Poor Password Choices
  - Security over Usability
  - Improper Data Encryption
- The Weakest Link: Human Beings
  - Single Sign-on
- Understanding Entropy in Password Security
  - Entropy in Randomly Selected Passwords
  - Entropy in Human-Selected Passwords
- Breaking Down System Usage of a Username and Password
- Securing Our Current Standards for Identity
  - Good and Bad Security Algorithms
    - The good
    - The bad (for passwords)
- What Data Should Be Protected?
  - Account Recovery Mechanisms and Social Engineering
  - The Problem with Security Questions
- Next Up
2. Password Encryption, Hashing, and Salting
- Data at Rest Versus Data in Motion
  - Data at Rest
  - Data in Motion
- Password Attack Vectors
  - Brute-Force Attack
  - Creating a CAPTCHA with reCAPTCHA
  - Dictionary Attacks
  - Reverse Lookup Tables
  - Rainbow Tables
- Salting
  - Generating a Random Salt
  - Salt Reuse
  - Salt Length
  - Where to Store the Salt
- Peppering
- Choosing the Right Password Hashing Function
  - bcrypt
  - PBKDF2
  - scrypt
  - Validating a Password Against a Hashed Value
- Key Stretching
- Recomputing Hashes
- Next Steps
3. Identity Security Fundamentals
- Understanding Various Identity Types
  - Social Identity
  - Concrete Identity
  - Thin Identity
- Enhancing User Experience by Utilizing Identity
- Introducing Trust Zones
- Browser Fingerprinting
  - Configurations More Resistant to Browser Fingerprinting
  - Identifiable Browser Information
  - Capturing Browser Details
    - User agent
    - Time zone
    - Screen resolution
    - Plug-ins
- Location-Based Tracking
- Device Fingerprinting (Phone/Tablet)
- Device Fingerprinting (Bluetooth Paired Devices)
- Implementing Identity
4. Securing the Login with OAuth 2 and OpenID Connect
- The Difference Between Authentication and Authorization
  - Authentication
  - Authorization
- What Are OAuth and OpenID Connect?
  - Introducing OAuth 2.0
    - OAuth 1.0 versus OAuth 2.0
  - Handling Authorization with OAuth 2.0
  - Using the Bearer Token
  - Authorization and Authentication with OpenID Connect
    - UserInfo endpoint and Claims
    - User authentication
    - The ID Token
- Security Considerations Between OAuth 2 and OAuth 1.0a
- Building an OAuth 2.0 Server
- Creating the Express Application
- Setting Up Our Servers Database
  - Generating Authorization Codes and Tokens
    - Authorization Codes
    - Access Tokens
    - Refresh Tokens
    - Generation of codes and tokens
  - The Authorization Endpoint
  - Handling a Tokens Lifetime
  - Handling Resource Requests
  - Using Refresh Tokens
  - Handling Errors
    - Using error handlers
- Adding OpenID Connect Functionality to the Server
  - The ID Token Schema
  - Modifying the Authorization Endpoint
  - Adjusting the Token Endpoint
  - The UserInfo Endpoint
  - Session Management with OpenID Connect
- Building an OAuth 2 Client
  - Using Authorization Codes
    - Storing tokens on the Client
    - Custom schemes
  - Authorization Using Resource Owner Credentials or Client Credentials
- Adding OpenID Connect Functionality to the Client
  - The OpenID Connect Basic Flow
- Beyond OAuth 2.0 and OpenID Connect
5. Alternate Methods of Identification
- Device and Browser Fingerprinting
- Two-Factor Authentication and n-Factor Authentication
  - n-Factor Authentication
  - One-Time Passwords
  - Implementing Two-Factor Authentication with Authy
- Biometrics as Username Instead of Password
- How to Rate Biometric Effectiveness
  - Face Recognition
  - Retina and Iris Scanning
  - Vein Recognition
- Upcoming Standards
  - FIDO Alliance
    - UAF
    - U2F
  - Oz
  - The Blockchain
  - Wrap Up
6. Hardening Web Applications
- Securing Sessions
  - Types of Sessions
    - Whats a cookie?
    - Whats a session?
  - How Express Handles Sessions
    - Using genid
    - Best practices when dealing with sessions
- Handling XSS
  - The Three Types of XSS Attacks
  - Testing XSS Protection Mechanisms
    - Circumventing XSS Auditor
  - Conclusion
- CSRF Attacks
  - Handling CSRF with csurf
- Valuable Resources for Node
  - Lusca
  - Helmet
  - Node Security Project
- Other Mitigation Techniques
- Our Findings
7. Data Transmission Security
- SSL/TLS
  - Certificate Validation Types and Authorities
    - Domain Validation (DV)
    - Organization Validation (OV)
    - Extended Validation (EV)
  - Creating Your Own Self-Signed Certificate for Testing
    - Certificate setup
    - Server setup
    - Making secure requests to the server
- Asyncronous Cryptography
  - Use Case
  - Implementation Example
    - Step 1a: Generating keys without file storage
    - Step 1b: Generating keys with file storage
    - Step 2: Encrypting and signing a message
    - Step 3: Decrypting and signing a message
  - Advantages, Disadvantages, and Uses of Aynchronous Cryptography
- Synchronous Cryptography
  - Initialization Vector
  - Padding
  - Block Cipher Modes of Operation
  - Using AES with CTR Encryption Mode
  - Using AES with with GCM Authenticated Encryption Mode
  - Advantages, Disadvantages, and Uses of Synchronous Cryptography
A. GitHub Repositories
B. Technical Preconditions and Requirements
- On ES6/ES2015
- Setting Up Your Node.js Environment
- Managing Node Versions or Alternative Installations
- Installing the Express Generator
- Setting Up Express
- Creating and Maintaining Your package.json File
- Application Configuration
- Working with JSON/URL-Encoded Bodies in Express
Glossary
Index

pokaż cały spis treści

Identity and Data Security for Web Development. Best Practices

Ebook (126,65 zł najniższa cena z 30 dni)

Najczęściej kupowane razem