Chapman, N. and Chapman, J. (2011) A Web Developer’s Guide to Securing a Server, Wen Security Topics, MacAvon Media
A short book in the series “Web Security Topics”, by the well-known authors Nigel and Jenny Chapman. Written for Web developers who act as part-time sysadmins, this handy guide deals with a crucial aspect of Web security – securing the system on which your Web applications are hosted. It provides a clear, easy-to-understand introduction to securing a Web server host running a Unix-like operating system such as Ubuntu Server. The book offers a commonsense, practical approach to everyday security for busy developers who have to take responsibility for setting up and securing Web servers for small businesses and non-profit organizations which do not have critical security requirements. Based on first-hand practical experience combined with extensive computing knowledge, this book explains the important principles and processes which every developer administering a server host needs to understand. Full of down-to-earth advice, it describes how to avoid the main pitfalls and security risks when administering a server host – and explains why each step must be taken. Topics covered include the available methods for remotely administering a server and transferring files to it, systems of permissions based on user accounts, how to restrict users and processes to minimize security risks, how to prevent unwanted connections by eliminating inessential servers and setting up a firewall, and how to recover from break-ins to the server if the worst should happen. Clear key points provide useful summaries at the end of each section, and a valuable 14-page glossary of technical terms is included.
Sullivan, B. and Liu, V. (2012) Web Application Security – A Beginner’s Guide, McGraw Hill
Download Chapter 1 – Welcome to the Wide World of Web Application Security (PDF 22.5MB)
“Get to know the hackers―or plan on getting hacked. Sullivan and Liu have created a savvy, essentials-based approach to web app security packed with immediately applicable tools for any information security practitioner sharpening his or her tools or just starting out.” ―Ryan McGeehan, Security Manager, Facebook, Inc.
Secure web applications from today’s most devious hackers. Web Application Security: A Beginner’s Guide helps you stock your security toolkit, prevent common hacks, and defend quickly against malicious attacks.
This practical resource includes chapters on authentication, authorization, and session management, along with browser, database, and file security–all supported by true stories from industry. You’ll also get best practices for vulnerability detection and secure development, as well as a chapter that covers essential security fundamentals. This book’s templates, checklists, and examples are designed to help you get started right away.
Web Application Security: A Beginner’s Guide features:
- Lingo–Common security terms defined so that you’re in the know on the job
- IMHO–Frank and relevant opinions based on the authors’ years of industry experience
- Budget Note–Tips for getting security technologies and processes into your organization’s budget
- In Actual Practice–Exceptions to the rules of security explained in real-world contexts
- Your Plan–Customizable checklists you can use on the job now
- Into Action–Tips on how, why, and when to apply new skills and techniques at work
Ballad, T. and Ballad, W. (2009) Securing PHP Web Applications, Addison-Wesley
Easy, Powerful Code Security Techniques for Every PHP Developer
Hackers specifically target PHP Web applications. Why? Because they know many of these apps are written by programmers with little or no experience or training in software security.Don’t be victimized. Securing PHP Web Applications will help you master the specific techniques, skills, and best practices you need to write rock-solid PHP code and harden the PHP software you’re already using.
Drawing on more than fifteen years of experience in Web development, security, and training, Tricia and William Ballad show how security flaws can find their way into PHP code, and they identify the most common security mistakes made by PHP developers. The authors present practical, specific solutions–techniques that are surprisingly easy to understand and use, no matter what level of PHP programming expertise you have.
Securing PHP Web Applications covers the most important aspects of PHP code security, from error handling and buffer overflows to input validation and filesystem access. The authors explode the myths that discourage PHP programmers from attempting to secure their code and teach you how to instinctively write more secure code without compromising your software’s performance or your own productivity.
Coverage includes
- Designing secure applications from the very beginning–and plugging holes in applications you can’t rewrite from scratch
- Defending against session hijacking, fixation, and poisoning attacks that PHP can’t resist on its own
- Securing the servers your PHP code runs on, including specific guidance for Apache, MySQL, IIS/SQL Server, and more
- Enforcing strict authentication and making the most of encryption
- Preventing dangerous cross-site scripting (XSS) attacks
- Systematically testing your applications for security, including detailed discussions of exploit testing and PHP test automation
- Addressing known vulnerabilities in the third-party applications you’re already running
Tricia and William Ballad demystify PHP security by presenting realistic scenarios and code examples, practical checklists, detailed visuals, and more. Whether you write Web applications professionally or casually, or simply use someone else’s PHP scripts, you need this book–and you need it now, before the hackers find you!
Part I: Web Development Is a Blood Sport-Don’t Wander onto the Field Without a Helmet
Chapter 1: Security Is a Server Issue and Other Myths
Reality Check
Security Is a Server Issue
Security Through Obscurity
Native Session Management Provides Plenty of Security
“My Application Isn’t Major Enough to Get Hacked”
The “Barbarians at the Gate” Syndrome
Wrapping It Up
Part II: Is That Hole Really Big Enough to Drive a Truck Through?
Chapter 2: Error Handling
The Guestbook Application
Users Do the Darnedest Things . . .
Building an Error-Handling Mechanism
Wrapping It Up
Chapter 3: System Calls
Navigating the Dangerous Waters of exec(), system(), and Backticks
Using escapeshellcmd() and escapeshellarg() to Secure System Calls
Create an API to Handle All System Calls
Patch the Guestbook Application
Wrapping It Up
Part III: What’s In a Name? More Than You Expect
Chapter 4: Buffer Overflows and Variable Sanitation
What Is a Buffer, How Does It Overflow, and Why Should You Care?
Prevent Buffer Overflows by Sanitizing Variables
Patch the Application
Wrapping It Up
Chapter 5: Input Validation
New Feature: Allow Users to Sign Their Guestbook Comments
The Problem: Users Who Give You More Than You Asked For
Assumptions: You Know What Your Data Looks Like
The Solution: Regular Expressions to Validate Input
Wrapping It Up
Chapter 6: Filesystem Access: Accessing the Filesystem for Fun and Profit
Opening Files
Creating and Storing Files
Changing File Properties Safely
Patching the Application to Allow User-Uploaded Image Files
Wrapping It Up
Part IV: “Aw come on man, you can trust me”
Chapter 7: Authentication
What Is User Authentication?
Privileges
How to Authenticate Users
Storing Usernames and Passwords
Patching the Application to Authenticate Users
Wrapping It Up
Chapter 8: Encryption
What Is Encryption?
Choosing an Encryption Type
Password Security
Patching the Application to Encrypt Passwords
Wrapping It Up
Chapter 9: Session Security
What Is a Session Variable?
Major Types of Session Attacks
Patching the Application to Secure the Session
Wrapping It Up
Chapter 10: Cross-Site Scripting
What Is XSS?
Reflected XSS
Stored XSS
Patching the Application to Prevent XSS Attacks
Wrapping It Up
Part V: Locking Up for the Night
Chapter 11: Securing Apache and MySQL
Programming Languages, Web Servers, and Operating Systems Are Inherently Insecure
Securing a UNIX, Linux, or Mac OS X Environment
Securing Apache
Securing MySQL
Wrapping It Up
Chapter 12: Securing IIS and SQL Server
Securing a Windows Server Environment
Securing IIS
Securing SQL Server
Wrapping It Up
Chapter 13: Securing PHP on the Server
Using the Latest Version of PHP
Using the Security Features Built into PHP and Apache
Using ModSecurity
Hardening php.ini
Wrapping It Up
Chapter 14: Introduction to Automated Testing
Why Are We Talking About Testing in a Security Book?
Testing Framework
Types of Tests
Choosing Solid Test Data
Wrapping It Up
Chapter 15: Introduction to Exploit Testing
What Is Exploit Testing?
Fuzzing
Testing Toolkits
Proprietary Test Suites
Wrapping It Up
Part VI: “Don’t Get Hacked” Is Not a Viable Security Policy
Chapter 16: Plan A: Designing a Secure Application from the Beginning
Before You Sit Down at the Keyboard . . .
Identifying Points of Failure
Wrapping It Up
Chapter 17: Plan B: Plugging the Holes in Your Existing Application
Set Up Your Environment
Application Hardening Checklist
Wrapping It Up
Epilogue: Security Is a Lifestyle Choice: Becoming a Better Programmer
Avoid Feature Creep
Write Self-Documenting Code
Use the Right Tools for the Job
Have Your Code Peer-Reviewed
Wrapping It Up
Appendix: Additional Resources
PEAR
Books
Web Sites
Tools
Glossary
Threats and Mitigations – A Guide to Multi-Layered Web Security (Akamai)
Download here (PDF 4,295KB)
Due to the rise of the internet, securing information has shifted from inside data centers to outside these infrastructures with the cloud through websites and applications. But with this change brings a new landscape of attacks – so how can you secure them?
This essential guide uncovers everything you need to know about web security and how you can mitigate web threats. Download now to discover:
- Types of security threats you face online
- Components necessary to secure websites and apps
- On-premise hardware and cloud-based options
- And more