This page contains suggestions for further reading on the subjects covered in the Web Security Topics books, and pointers to the relevant standards documents.
We will add links to this page as more books in the series are published.
General
This section of the page lists books and sites that are relevant to more than one volume in the series.
A monumental book which covers the general topic of computer security, including network and Web application security. It is over 1000 pages long – the bibliography alone is over 100 pages – written by the Professor of Security Engineering at Cambridge University, and as authoritative as that would lead you to expect. The book covers a lot of ground. Although not much of it is devoted to Web security, the book provides valuable context and perspective on the whole area of security.
You can get the complete book free in PDF from Prof Anderson's Web page.
The official site for Node.js, where you can find full documentation.
The official site for the Express framework, where you can find full documentation.
A Web Developer's Guide to Securing a Server
Most of the information needed for securing your server will be found in manual pages. You can search the Web, but mostly you will find tutorials of dubious quality. There is one book, though.
If you need to secure a host that is doing more than just serve Web pages, or if you want more detailed instructions on commands and configuration files without wading through the man pages, you may find this book useful. Note the publication date, though.
If you are only interested in setting everything up so you can administer your server over SSH, try this guide.
A Web Developer's Guide to Secure Communication
There are good books on cryptography – it's a nice solid subject that lends itself to mathematical analysis – but not so much on its application to the Web.
The title may be misleading: this is an academic book, with a mathematical emphasis. If you are not put off by books consisting of numbered paragraphs labelled Fact, Definition, Theorem, and so on, and are comfortable with set theory and algebra, you will find that this repays study. If you read it, you should understand a lot about cryptography. Unfortunately, the book has not been revised since its initial publication in 1996, apart from minor corrections and updates, so it does not cover recent developments.
The entire book can be downloaded as PDF for private use.
If this is the sort of thing you like, you might also be interested in Steven D Galbraith Mathematics of Public Key Cryptography. This hasn't been published yet, so we cannot comment on it, beyond remarking that the synopsis looks rigorous.
On the other hand, if you want an easy readable story about code breaking through the ages, this is not bad. It provides interesting background to the development of modern cryptography and cryptanalyis. Basically, just a piece of popular science journalism that doesn't go into any detail.
A popular book about cryptography by some well-known experts on the subject. This is probably the best option if you are interested in practical uses of cryptography.
This really is a very short introduction, but it covers the essentials very nicely in such a small space.
A popular protocol analyser, which captures packets and allows you to examine their content. Wireshark is intended for troubleshooting networks.
As described in the introduction.
A nice little site with some background about randomness and tools for generating truly random data of various sorts.
RFC 2459, the part of X.509 that provides the official definition of the certificate format, if you really need to know.
You can get a copy of the PCI DSS requirements and other documents from here.
RFC 2818, the short IETF document defining HTTPS.
RFC 5246, the IETF document defining TLS. We include this reference for completeness, but don't recommend that you actually read it unless you are an expert in protocols, as it is really intended for implementors.
These pages seem to be the lecture notes from a short course about setting up HTTPS and cover the details of Apache configuration.
The questions here cover most of the practical matters of setting up TLS/SSL if you are using Apache. Quite a lot of the material is relevant to other servers too.
A concise collection of pieces of advice for deploying SSL/TLS, and by implication HTTPS.
Authentication and Authorization on the Web
There is surprisingly little published information about this important topic. We hope that it is covered adequately in the book itself. Some readers may need extra information to appreciate all of the examples, though.
This book in our Web Development Topics series provides the background information for you to understand the examples in Authentication and Authorization on the Web if you do not already have any experience with Node.js.
Posts in the "Authentication" category on the blog of the Security Research Group at the Cambridge University Computer Lab. Some of the posts by Joseph Bonneau on passwords are particularly worth reading.
A good account of advances in password cracking techniques. The article makes scary reading, but see Joseph Bonneau's commentary for some reassurance.
A simple introduction to OpenID with links to libraries etc.
Developer documentation for adding Facebook login, using OAuth2.
The proposed IETF standard for OAuth 2.0.
Middleware that can be used with Express to provide authentication using just about any mechanism you can think of, for those occasions when you don't want to implement it yourself.