|
January 13, 2016
Criminals have your web applications in their crosshairs. They search for and exploit common security mistakes in your web application to steal user data and generally make your life miserable.
Learn how to Secure Your Node.js Web Application: Keep Attackers Out and Users Happy, now in print and shipping from pragprog.com/book/kdnodesec. And don't forget to check out the author's Top Five Security Tips, listed below.
AND DON'T MISS this month's issue of the ever-enriching PragPub magazine.
Keep on scrolling!
January PragPub Magazine
Swift. Wolfram Language. Ted Nelson. And more.
It’s 2016, or as we at PragPub like to call it, 2^5 * 3^2 * 7. We’ve moved some things around in the Pub for the new year, but you shouldn’t have any trouble finding your seat. In the first issue of the new year our editor wants to pour you some news items, set out a few choice bits, pose a Pub puzzle, and lay out the bill of fare for this issue.
Ted Nelson is by many accounts the computer industry’s one true visionary, “a truly first-class mind” [Eric Raymond], “the Bucky Fuller of software.” [Bill Duvall]. In the words of Mitch Kapor, “All of the Web is in essence a pale shadow of just one of Ted Nelson’s dreams.” Your editor spent some time with Ted recently on his houseboat in Sausalito, and the result is this month’s lead article.
But that’s just the beginning.
On a list of currently hot topics in software you’d undoubtedly find Apple’s Swift language, especially since it just went open source, and you’d also find functional programming. Those two topics come together in a thoughtful article by Swift expert Natasha Murashev. There’s a difference between using some functional programming tools and practices and truly programming in a functional style. Natasha spells out the key ideas and points to resources that can get you thinking in this important paradigm. Oh, and she does it all in Swift, of course.
Possibly the most intriguing programming language today is Wolfram Language from Wolfram Research. It’s based on Mathematica, a multiparadigm language for technical computing, especially in the sciences. But what makes Wolfram Language so different is that it is also built on the Wolfram Alpha knowledge engine. Programming languages don’t typically incorporate real-world knowledge, but Wolfram Language can tell you the relative precipitation in Madagascar or the melting point of tin. Now Wolfram Language has gone cloud-based, and Mike Riley, who has been tracking developments, has written an article for PragPub on what this could mean to you.
Johanna Rothman is no stranger to these pages, being one half of Rothman and Lester, our career columnist duo. Johanna is also a consultant and lecturer and book author, and we prevailed upon her to share an excerpt from her upcoming book, Agile and Lean Program Management. The topic is measurement. You know how to define progress, but unless you can measure it, how do you know it’s happening?
Andy Lester is the other half of Rothman and Lester. This month in their column Andy and Johanna discuss a particularly appropriate topic for the beginning of a new year: how to know if you’re in a rut—and what to do about it if you are. Our other regular columnists are here, too, back from the holidays and refreshed. Marcus Blankenship talks about how to balance management with real work, and Antonio Cangiano has another collection of good tech books.
Now available from theprosegarden.com.
Secure Your Node.js Web Application: Keep Attackers Out and Users Happy
Bake security into your code from the start. See how to protect your Node.js applications at every point in the software development life cycle, from setting up the application environment to configuring the database and adding new functionality. You'll follow application security best practices and analyze common coding errors in applications as you work through the real-world scenarios in this book.
Protect your database calls from database injection attacks and learn how to securely handle user authentication within your application. Configure your servers securely and build in proper access controls to protect both the web application and all the users using the service. Defend your application from denial of service attacks. Understand how malicious actors target coding flaws and lapses in programming logic to break in to web applications to steal information and disrupt operations. Work through examples illustrating security methods in Node.js. Learn defenses to protect user data flowing in and out of the application.
By the end of the book, you'll understand the world of web application security, how to avoid building web applications that attackers consider an easy target, and how to increase your value as a programmer.
Top Five Security Tips
by Karl Düüna
Secure the environment
To build a secure system, you need to start from the ground up and invest time in securing the environment. Otherwise your code might be secure, but attackers can still compromise your application by exploiting weaknesses on your servers instead. Make sure you run up-to-date software, have secure authentication mechanisms, run the application under low privileges, and have decent logging.
Validate all input
Hacking in general means finding an unexpected usage for a system by introducing an unexpected input. The best way to defend yourself is to allow as narrow of an input range as possible. It is equally important to always validate that there is a match between the input and your expectations.
Secure your data
Data and databases are a critical part of most web applications and therefore a prime target for attackers. While Node.js applications might be more inclined towards NoSQL, the principles of data protection are the same: always use authentication mechanisms, use varying levels of access, separate your customers' data as much as needed or possible, and encrypt the important parts of the database.
Protect your clients
Clients are probably the most valuable asset of your web application—they use the system and bring in the business. So it is natural that you must protect them with the same vigilance. This, alongside other defenses, means you must invest in protecting the client side of your application, including setting up CSRF and XSS defenses, protecting against clickjacking and unvalidated redirects.
Implement “Defense in Depth”
Cyber-defense is an asymmetrical problem: while crackers need only one of their attacks to succeed, you need all of your defenses to hold. This is unrealistic, which is why you should always opt for “Defense In Depth.” Never assume that the outer defenses of your application are impenetrable. Instead, set up layers upon layers of defensive mechanisms. Even if the attacker manages to get through one layer, the damage they can do is limited.
Now in print and shipping from pragprog.com/book/kdnodesec.
Did You Know?
If you've bought a paperback copy of one of our titles, you can still buy the ebook at our discounted "combo" price—even if you bought the paperback from a book store. Look on the last page of your paper book for directions.
Don't Get Left Out
Are your friends jealous that you get these spiffy email newsletters and they don't? Clue them in that all they need to do is create an account on pragprog.com (email address and password is all it takes) and select the checkbox to receive newsletters.
Are you following us on Twitter and/or Facebook? Here's where you can find us and keep up with the latest news and commentary, and occasional discounts:
Tell your friends! Tweet this
Follow us on Twitter: @pragprog, @pragpub, Andy @PragmaticAndy and Dave @pragdave.
Andy & Dave
The Pragmatic Programmers
Books • eBooks • PragPub Magazine • Audiobooks and Screencasts
PragProg.com
Manage your subscription using your account, or permanently unsubscribe here.
Sent by the Pragmatic Programmers, LLC. • 2831 El Dorado Pkwy, #103-381 • Frisco TX 75033
|
