Web Application Security Breach Commonality

If you follow the trade news for even a few weeks, you begin to see a recurring pattern of security breaches based on web application deficiencies, social engineering attacks, or some other weakness in the security chain. The latest attack that is making the rounds is the IRS security breach. However, I’m not picking on the IRS, you can find security breaches galore in every arena of human endeavor simply by performing the required search. Everyone gets hacked, everyone is embarrassed by it, and everyone lies through their teeth about the methods used for the attack, the severity of the attack, and the likelihood of dire results. The attacks serve to demonstrate a simple principle I’ve written about in HTML5 Programming with JavaScript for Dummies, CSS3 for Dummies, and Security for Web Developers—if someone wants to break your security, they’ll always succeed.

Later analysis of the IRS attack brings out some important issues that you need to consider as part of your development efforts. The first is that you really do need to expend the effort to create the most secure environment possible. Many of the successful attacks use simple methods to obtain the desired result. Training really does help reduce social engineering attacks, updates really do help close security issues that a hacker can use to access your system, good programming practices keep hackers at bay, make applications easier to use, and reduce errors that result in security issues. All of these methods help you remain secure. However, remaining vigilant is important too. Monitoring your application and the libraries, APIs, and microservices on which they depend are all important. Despite protestations to the contrary, the IRS probably could have done more to prevent the breach, or at least mitigate the results of the breach.

A focal point of the analysis for me is that the IRS currently has 363 people working security and a budget of $141.5 million to ensure your data remains safe. The author is a bit harsh and asks whether the IRS Commissioner Koskinen thinks his people are stupid because he keeps making the claim that these hackers are quite skilled. Yet, the hacks used are really quite simple. Breaches happen to every organization at some point, no matter how much money you want to throw at the problem. Organizations get blindsided because hackers attack from a direction that is unexpected in many cases or the organization simply isn’t keeping track of the current threats. Again, I’m not heaping insult on the IRS, simply pointing out a problem that appears common to most of the breaches I read about. What is needed in this case is a frank admission of the facts and a whole lot less in the way of excuses that simply make the organization look weak or stupid anyway.

The IRS, like many organizations, later came back and increased the tally on the number of individuals affected by the breach. This is another common issue. Instead of investigating first and speaking later, many organizations provide numbers at the outset that really aren’t based on solid facts. When an organization has a breach, the public does need to know, but the organization should wait on details until it actually does know what happened.

The application that caused the breach is now dead. It’s a demonstration of a final principle that appears in many of my books. If you really want to keep something secret, then don’t tell anyone about it. Breaches happen when data is made public in some manner. Yes, it’s convenient to access tax information using a web application, but the web application will be breached at some point and then the confidential details will appear in public. Organizations need to weigh convenience against the need to keep data secure. In some cases, security has to win.

The more I read about security breaches, the more convinced I become that they’re unavoidable. The only way to prevent data breaches is to keep the data in a closed system (and even then, a disgruntled employee could still potentially make a copy). Being honest about data breaches, providing the public with solid facts, and ensuring remediation measures are effective are the only ways to control the effects of a data breach. Let me know your thoughts on this issue at John@JohnMuellerBooks.com.


Beta Readers Needed for Security for Web Developers

Are you worried about your web-based applications, web services, and other web endeavors? Web security becomes a more serious problem on an almost daily basis as witnessed by the surge of truly serious hacking events, so developers are looking for a reference they can use to avoid becoming yet another statistic. Many books give you good advice about part of the security problem or provide solutions so generic they aren’t truly useful. Unfortunately, attacking only part of the problem leaves you open to hacking or other security issues. Developers also need specific advice because general advice will no longer meet current security needs. Security for Web Developers provides specific advice for the HTML5, JavaScript, and CSS developer on all areas of security, including new areas not found in any other book, such as microservices. Consequently, you get a complete view of security changes needed to protect web-based code and keep its data safe. Here’s what you’ll see in this book:

  • Part I: Developing a Security Plan
    • Chapter 1: Defining the Application Environment
    • Chapter 2: Embracing User Needs and Expectations
    • Chapter 3: Getting Third Party Assistance
  • Part II: Applying Successful Coding Practices
    • Chapter 4: Developing Successful Interfaces
    • Chapter 5: Building Reliable Code
    • Chapter 6: Incorporating Libraries
    • Chapter 7: Using APIs with Care
    • Chapter 8: Considering the Use of Microservices
  • Part III: Creating Useful and Efficient Testing Strategies
    • Chapter 9: Thinking Like a Hacker
    • Chapter 10: Creating an API Sandbox
    • Chapter 11: Checking Libraries and APIs for Holes
    • Chapter 12: Using Third Party Testing
  • Part IV: Implementing a Maintenance Cycle
    • Chapter 13: Clearly Defining Upgrade Cycles
    • Chapter 14: Considering Update Options
    • Chapter 15: Considering the Need for Reports
  • Part V: Locating Security Resources
    • Chapter 16: Tracking Current Security Threats
    • Chapter 17: Getting Required Training

This book is designed to meet the needs of a wide group of professionals and non-developers will definitely find it useful. If your job title is web designer, front end developer, UI designer, UX designer, interaction designer, art director, content strategist, dev ops, product manager, SEO specialist, data scientist, software engineer, or computer scientist, then you definitely need this book. I’d love to have your input on it as a beta reader because this book is meant to meet your needs. However, even people with other job specialties should send me an e-mail about reading the book because other perspectives are most definitely helpful!

As always, I want your input to help avoid making any errors in the book. If you have any desire whatsoever to work with any sort of web-based code, please contact me at John@JohnMuellerBooks.com. In consideration of your time and effort, your name will appear in the Acknowledgements (unless you specifically request that I not provide it). You also get to read the book free of charge. Being a beta reader is both fun and educational.


Finding Math Libraries for Your Next JavaScript Project

Finding precisely the JavaScript math library you need can be difficult. In both HTML5 Programming with JavaScript for Dummies and CSS3 for Dummies I define a need to perform math tasks accurately. Both books provide some workarounds for the inaccuracies inherent in performing floating point math. It’s important to remember that some numbers can’t be represented properly in the decimal system used by humans, that there are other numbers the computer can’t represent accurately in decimal, and that there are also error present in converting decimal numbers to binary and vice versa. In short, there are a number of levels at which math errors can occur. Yes, it’s true that the math errors are small, but they become a concern when performing large calculations, some of which can’t suffer any level of error (such as plotting a course to Mars).

The problem is so significant in some cases, that trying to work around the issues becomes an application development task in its own right. It’s for that reason that I started looking for math libraries to perform certain tasks. After all, it’s a lot easier to let someone else do the heavy lifting when it comes to a complex calculation. You can read about the results of some of this research in my article entitled, “Four Serious Math Libraries for JavaScript.” The article not only details the source of many of these errors in great detail, but reviews four libraries you can use to solve them.

The important takeaway I got from the research is that, like many programming tasks, there is no one library that does it all. Each library had something to recommend it. However, each library was sufficiently robust that you shouldn’t need to combine them to create your application. The point is to choose the one library that best meets your needs.

I’m actually looking into a number of library types for use in JavaScript programming. The advantage of JavaScript is that it does provide incredibly strong community support in the form of libraries that you simply use as needed. What sorts of issues do you encounter when writing applications using JavaScript. Let me know what kinds of libraries that you’re having a hard time finding at John@JohnMuellerBooks.com. I’d be more than happy to perform the research for library types that receive enough reader support and report my findings to you.


HTML5 and CSS3 Bugs in iOS 7

Several readers have written to ask about an article that appeared in InfoWorld entitled, “Bad news: iOS 7’s HTML5 is full of bugs.” In reading about the bugs, it doesn’t appear that any of them will affect the examples found in either HTML5 Programming with JavaScript for Dummies or CSS3 for Dummies. Unfortunately, I don’t personally own a copy of iOS 7 to perform any testing to verify that there aren’t any problems. A helpful reader did test a few examples for me and didn’t report any errors. If you find that you’re having problems with any of the examples in either book, please let me know at John@JohnMuellerBooks.com.

This issue does serve to point out a problem that I’ve encountered more than a few times in supporting my books. A vendor can release a faulty version of a library, operating system, or other support software required for my books and it will appear that the examples are buggy to the reader. If you read about these sorts of issues, please let me know about them so that I can test the book examples and report back to you here.


Obtaining an Editor for Your Web-based Application

One of the things I like most about writing code for Web-based applications is that there are so many libraries out there to make the task simple. You can stitch together libraries to create an application in only a small amount of the time required to create the same application in desktop form and the resulting application is going to be a lot more flexible. (Admittedly, the desktop application is usually prettier and can be faster.) Some time intensive tasks for desktop developers, such as creating an editor, require little or no work when creating a Web-based application. In fact, you can get a number of editors for free as described in my article, “5 Free JavaScript Libraries to Add Text Editing to Your Web Application.”

In this case, I wanted to see what was available in the way of editors. There are quite a large number of editors out there, some paid, some not. After discovering that the scope of my original article idea was too large (just editors in general), I decided to narrow the scope to just those editors that are free. After all, why pay for something you can get free unless you actually need the special features of the paid product?

Unfortunately, I still ended up with too many editors (somewhere in the neighborhood of 20). So, I decided to categorize the editors by complexity and presentation. I ended up with five major categories that span the range from simple to complex. The article contains what I think are the five best editors. Of course, your opinion may vary from mine. The point is, that you have a significant number of editors to choose from, so there is absolutely no reason to ever write code to create your own editor unless you need something truly specialized.

I’m thinking about other sorts of classes of application module for future articles. For example, it might be necessary to create an application where the user can make a simple drawing to show how something is put together or how something has failed. I actually needed such a module when trying to describe the glass panes used in the front of my wood stove not long ago and finally resorted to using paper and faxing it. The graphics module would have been easier, faster, and simpler.

What sorts of modules do you need for your Web-based applications? I’m always looking for good ideas from the people who read my material. Send me your thoughts at John@JohnMuellerBooks.com.


The Role of APIs in Application Development

More people are coming to understand that the PC will constitute just one of several devices that users will rely upon to perform daily computing tasks in the future. Articles such as, “Life in the Post-PC Era” are appearing more and more often because the trend is clear. However, unlike many people, I don’t see the PC going away completely. There really are situations where you need to size and comfort of a larger system. I can’t imagine myself trying to write an entire book on a tablet. If I did, the resulting Repetitive Stress Injury (RSI) would be my own fault. However, the higher reliability and slow rate of technological change also means that my systems will last longer and I won’t be buying them as often. In other words, I’ll continue to use my PC every day, but people won’t be making as much money off of me as I do it. This said, a tablet will figure into my future in performing research and reading technical materials that I would have used a PC to accomplish in the past.

The nature of computing today means that any application you write will need to work on multiple platforms. Users won’t want a unique application for each platform used. Unfortunately, new platforms arrive relatively fast today, so developers of most applications need some method of keeping their applications relevant and useful. Web-based applications are perfect for this use. These applications are the reason I chose to write CSS3 for Dummies and HTML5 Programming with JavaScript For Dummies. These books represent the future of common applications—those used by users every day to perform the mundane tasks of living and business.

When reading these two books, you’ll find a strong emphasis on not reinventing the wheel. In fact, a lot of developers are now finding that their work is greatly simplified when they rely on third party Application Programming Interfaces (APIs) to perform at least some of their work. The stronger emphasis on APIs hasn’t gone unnoticed by the media either. Articles such as, “How the API Movement is Transforming the Telecom Industry” describe how APIs have become central to creating applications for specific industries. In fact, you’ll find targeted articles for API use all over the Internet because APIs have become a really big deal.

I plan to write quite a lot more about APIs because I see them as a way of standardizing application developing, creating more reliable applications, and reducing developer effort in creating the mundane parts of an application. What will eventually happen is that developers will become more creative and APIs will put the art back into the science of creating applications. However, I’d like your input too. What do you see as the role of APIs in the future? What questions do you have about them? Let me know at John@JohnMuellerBooks.com.