The Web Security Topics Series

Further Reading and Other Resources

This page contains suggestions for further reading on the subjects covered in the Web Security Topics books, and pointers to the relevant standards documents.

We will add links to this page as more books in the series are published.

General

This section of the page lists books and sites that are relevant to more than one volume in the series.

Ross Anderson Security Engineering: A Guide to Building Dependable Distributed Systems

John Wiley & Sons; 2nd edition (2008)

A monumental book which covers the general topic of computer security, including network and Web application security. It is over 1000 pages long – the bibliography alone is over 100 pages – written by the Professor of Security Engineering at Cambridge University, and as authoritative as that would lead you to expect. The book covers a lot of ground. Although not much of it is devoted to Web security, the book provides valuable context and perspective on the whole area of security.

You can get the complete book free in PDF from Prof Anderson's Web page.

Node.js Site

The official site for Node.js, where you can find full documentation.

Express

The official site for the Express framework, where you can find full documentation.

A Web Developer's Guide to Securing a Server

Most of the information needed for securing your server will be found in manual pages. You can search the Web, but mostly you will find tutorials of dubious quality. There is one book, though.

Michael D Bauer Linux Server Security

O'Reilly (2005)

If you need to secure a host that is doing more than just serve Web pages, or if you want more detailed instructions on commands and configuration files without wading through the man pages, you may find this book useful. Note the publication date, though.

Getting started with SSH

If you are only interested in setting everything up so you can administer your server over SSH, try this guide.

A Web Developer's Guide to Secure Communication

There are good books on cryptography – it's a nice solid subject that lends itself to mathematical analysis – but not so much on its application to the Web.

Alfred J. Menezes, Paul C. van Oorschot and Scott A. Vanstone Handbook of Applied Cryptography

CRC Press (1996)

The title may be misleading: this is an academic book, with a mathematical emphasis. If you are not put off by books consisting of numbered paragraphs labelled Fact, Definition, Theorem, and so on, and are comfortable with set theory and algebra, you will find that this repays study. If you read it, you should understand a lot about cryptography. Unfortunately, the book has not been revised since its initial publication in 1996, apart from minor corrections and updates, so it does not cover recent developments.

The entire book can be downloaded as PDF for private use.

If this is the sort of thing you like, you might also be interested in Steven D Galbraith Mathematics of Public Key Cryptography. This hasn't been published yet, so we cannot comment on it, beyond remarking that the synopsis looks rigorous.

Simon Singh The Code Book: The Secret History of Codes and Code-breaking

Fourth Estate (2002)

On the other hand, if you want an easy readable story about code breaking through the ages, this is not bad. It provides interesting background to the development of modern cryptography and cryptanalyis. Basically, just a piece of popular science journalism that doesn't go into any detail.

Fred Piper and Sean Murpy Cryptography: A Very Short Introduction

Oxford Paperbacks (2002)

This really is a very short introduction, but it covers the essentials very nicely in such a small space.

Wireshark

A popular protocol analyser, which captures packets and allows you to examine their content. Wireshark is intended for troubleshooting networks.

Firesheep

As described in the introduction.

Random.org

A nice little site with some background about randomness and tools for generating truly random data of various sorts.

HTTP Over TLS

RFC 2818, the short IETF document defining HTTPS.

The Apache SSL/TLS Strong Encryption FAQ

The questions here cover most of the practical matters of setting up TLS/SSL if you are using Apache. Quite a lot of the material is relevant to other servers too.

Authentication and Authorization on the Web

There is surprisingly little published information about this important topic. We hope that it is covered adequately in the book itself. Some readers may need extra information to appreciate all of the examples, though.

Nigel Chapman and Jenny Chapman Javascript on the Server Using Node.js and Express

MacAvon Media (2013)

This book in our Web Development Topics series provides the background information for you to understand the examples in Authentication and Authorization on the Web if you do not already have any experience with Node.js.

Light Blue Touchpaper – Authentication

Posts in the "Authentication" category on the blog of the Security Research Group at the Cambridge University Computer Lab. Some of the posts by Joseph Bonneau on passwords are particularly worth reading.

Facebook Login

Developer documentation for adding Facebook login, using OAuth2.

PayPal Access

Developer documentation for adding PayPal Access login, using OAuth2.

connect-auth

Middleware that can be used with Express to provide authentication using just about any mechanism you can think of, for those occasions when you don't want to implement it yourself.