Best books or resources on web application security and user authentication? - security

I'm looking to learn more about web application security and user authentication as it applies in 2013 and beyond across technologies like PHP, Java + Spring, Python + Django/Flask, Ruby on Rails, and all modern application frameworks.
Anyone have any good suggestions?
I gleaned some from a popular security.stackexchange post but most of these are dated:
The Web Application Hacker's Handbook: Discovering and Exploiting Security Flaws
The Tangled Web by Michal Zalewski
Writing Secure Code v2 from MS Press
Any suggestions would be appreciated!

We have used spring security (Acegi Security) in various features like ( Database Authentication, LDAP Authentication, Web Authentication, Domain Authentication) in my project.
Please find the references.
http://www.springsource.org/spring-security
http://www.springsecuritybook.com/
http://static.springsource.org/spring-security/site/docs/3.2.x/reference/springsecurity-single.html

Related

Is there 'switch user' add-on available for Node.js that behaves similar to the Grails plugin

I have a Grails application where we use the Grails Spring Security plugin to allow an admin to easily switch (or assume) another user. This has proven to be very useful for admins to debug user issues and for our testers to jump between roles.
Is there an easy solution available for Node.js that is similar to this Spring Security feature? Note that we're using JWT to auth every request, so not using server based token like Spring Security would.
No, but only because there is no equivalent security plugin for Node in the first place. There are popular projects such as http://passportjs.org/ that can provide functionality in this category, and each offers varying levels of support for what you're asking. But your request isn't relevant to NodeJS Core. User authentication and authorization are not core modules of that project.

Hardened app frameworks that actively TDD/unit test against OWASP top 10?

Are there any open source web frameworks that actively protect against the OWASP Top 10 Security Vulnerabilities?
A framework that satisfies this requirement should include the following
Can pass penetrations testing tools like OWASP Zap Core
Supports standard authentication flows such as create new account, forgot password, login, etc?
Is open source
The intent being to build an application that is secure from the ground up, with best practices already applied.
To me, the programming language is less important here than having these important lessons applied.
Electrode, opensourced by Walmart as the backend app framework they use for walmart.com

Two-factor Authentication for IBM Domino XPages

I am a new Domino XPages developer. Does anyone know of a Two Factor Authentication solution for Xpages.
You don't authenticate with an application on Domino. (That's true whether it's built with XPages or not.) You authenticate with the server. IBM does not support two factor authentication for Domino, but a simple google of "lotus domino two factor authentication" will bring up results that include a few vendors of 3rd party solutions that work with Domino. You will, however, have to approach this as a systems admin issue, not a development problem, so if you have any follow-ups they will belong on ServerFault instead of StackOverflow.
Look at https://www.duosecurity.com/product/applications/api which you could use after user successfully authenticates against Domino server.

When to go for App Model in SharePoint 2013?

While learning SharePoint 2013; in some diagrams, i found that we need more than just Sharepoint servers to do app model. we should be hosting the app in separate IIS then connect to Sharepoint Servers.
Is not this costly approach?In such case, why should we go for app model and what is the correct kind of applicable scenario? Please help me understand. Any inputs will be grateful.
Some basics things are (Provider Hosted apps)
For provider-hosted apps, use any language - like HTML, JavaScript, PHP, or .NET
Apps are Safer than Sandboxed Solutions as they are executed outside server environment
Apps induce Less Load to server than Sandboxed Solutions ..
http://blogs.msdn.com/b/mvpawardprogram/archive/2013/01/21/sharepoint-2013-apps-advantages.aspx
For learning purpose you can use IIS express with Developer site.

Which scripting language and web server to use for mulltithreading

I am new to web programming
I need to develop a web page running on a server, that needs to show progress status of 10 threads simultaneously. Also I would require SQLite database integration.
Please tell me what are the options available for me for choosing a scripting language and web server [socket] development framework.
Also suggest the most suitable.
Thanks for any help
Python would be an excellent choice. It has SQLite integrated as documented here.
Python also has the following features (and many others) integrated:
threading and synchronization
Networking (sockets)
lots of web server (and web pages, etc) handling options
Here is a page that discusses several different Python web server frameworks. Im not very familiar with it, but Ive heard lots of good things about Django.
Another excellent choice would be Ruby on Rails. Ruby is the scripting language and Rails is the Web Server Framework.

Resources