updating web application security section

mattmakai · mattmakai · commit 9a176d7244ab · 2014-06-01T10:03:50.000-04:00
diff --git a/change-log.html b/change-log.html
@@ -46,7 +46,8 @@ <h1>Change Log</h1>
 <h2>2014</h2>
 <h3>June</h3>
 <ul>
-<li>Added learning checklist for logging.</li>
+<li>Updated logging page with better explanations and content ordering.</li>
+<li>Added learning checklist for logging and web analytics.</li>
 </ul>
 <h3>May</h3>
 <ul>
diff --git a/feeds/all.atom.xml b/feeds/all.atom.xml
@@ -1,2 +1,2 @@
 <?xml version="1.0" encoding="utf-8"?>
-<feed xmlns="http://www.w3.org/2005/Atom"><title>Matt Makai</title><link href="http://www.fullstackpython.com/" rel="alternate"></link><link href="http://www.fullstackpython.com/feeds/all.atom.xml" rel="self"></link><id>http://www.fullstackpython.com/</id><updated>2014-06-01T09:42:21Z</updated></feed>
+<feed xmlns="http://www.w3.org/2005/Atom"><title>Matt Makai</title><link href="http://www.fullstackpython.com/" rel="alternate"></link><link href="http://www.fullstackpython.com/feeds/all.atom.xml" rel="self"></link><id>http://www.fullstackpython.com/</id><updated>2014-06-01T10:03:41Z</updated></feed>
diff --git a/future-directions.html b/future-directions.html
@@ -68,7 +68,6 @@ <h1>Future Directions</h1>
 <p>Create learning checklists for every section where it makes sense. The
   remaining sections that need checklists are </p>
 <ol>
-<li>web analytics</li>
 <li>web application security</li>
 </ol>
 </li>
diff --git a/source/content/pages/08-monitoring-analytics/0805-web-analytics.markdown b/source/content/pages/08-monitoring-analytics/0805-web-analytics.markdown
@@ -103,4 +103,26 @@ application before taking some action, such as purchasing your service.
   compares the two analytics services.
 
 
+## Web analytics learning checklist
+<i class="fa fa-check-square-o"></i>
+Add Google Analytics or Piwik to your application. Both are free and while 
+Piwik is not as powerful as Google Analytics you can self-host the application
+which is the only option in many environments.
+
+<i class="fa fa-check-square-o"></i>
+Think critically about the factors that will make your application successful.
+These factors will vary based on whether it's an internal enterprise app, 
+an e-commerce site or an information-based application.
+
+<i class="fa fa-check-square-o"></i>
+Add metrics generated from your web traffic based on the factors that drive
+your application's success. You can add these metrics with either some custom
+code or with a hosted web analytics service.
+
+<i class="fa fa-check-square-o"></i>
+Continuously reevaluate whether the metrics you've chosen are still the 
+appropriate ones defining your application's success. Improve and refine the
+metrics generated by the web analytics as necessary.
+
+
 ### What's the next topic you want to learn about?
diff --git a/source/content/pages/09-security/0903-web-security.markdown b/source/content/pages/09-security/0903-web-security.markdown
@@ -11,9 +11,9 @@ choice2text: How do I integrate external APIs into my app?
 choice3url: /logging.html
 choice3icon: fa-align-left fa-inverse
 choice3text: How can I log events that occur while the app is running?
-choice4url: /monitoring.html
-choice4icon: fa-bar-chart-o fa-inverse
-choice4text: What tools should I use for monitoring the live web app?
+choice4url: /about-author.html
+choice4icon: fa-user
+choice4text: Who created Full Stack Python?
 
 
 # Web Application Security
@@ -57,4 +57,32 @@ securing Linux distributions.
   specification.
 
 
+## Web security learning checklist
+<i class="fa fa-check-square-o"></i>
+Read and understand the major web application security flaws that are
+commonly exploited by malicious actors. These include cross-site request 
+forgery (CSRF), cross-site scripting (XSS), SQL injection and session 
+hijacking. The 
+[OWASP top 10 web application vulnerabilities list](https://www.owasp.org/index.php/Top_10_2013-Top_10) 
+is a great place to get an overview of these topics.
+
+<i class="fa fa-check-square-o"></i>
+Determine how the framework you've chosen mitigates these vulnerabilities.
+
+<i class="fa fa-check-square-o"></i>
+Ensure your code implements the mitigation techniques for your framework. 
+
+<i class="fa fa-check-square-o"></i>
+Think like an attacker and actively work to break into your own system. If
+you do not have enough experience to confidently break the security consider
+hiring a known white hat attacker. Have her break the application's security,
+report the easiest vulnerabilities to exploit in your app and help implement
+protections against those weaknesses.
+
+<i class="fa fa-check-square-o"></i>
+Recognize that no system is ever totally secure. However, the more popular
+an application becomes the more attractive a target it is to attackers.
+Reevaluate your web application security on a frequent basis.
+
+
 ### What topic do you want to learn about next?
diff --git a/source/content/pages/10-misc/1005-change-log.markdown b/source/content/pages/10-misc/1005-change-log.markdown
@@ -24,7 +24,8 @@ the
 
 ## 2014
 ### June
-* Added learning checklist for logging.
+* Updated logging page with better explanations and content ordering.
+* Added learning checklist for logging and web analytics.
 
 ### May
 * Added link to my O'Reilly Programming blog post on demand for full stack 
diff --git a/source/content/pages/10-misc/1007-future-directions.markdown b/source/content/pages/10-misc/1007-future-directions.markdown
@@ -46,7 +46,6 @@ Here are some things I'm actively working on:
 * Create learning checklists for every section where it makes sense. The
   remaining sections that need checklists are 
 
-    1. web analytics
     1. web application security
 
 * After those updates are done I'll go back through and apply visuals to
diff --git a/web-analytics.html b/web-analytics.html
@@ -133,6 +133,23 @@ <h2>Web analytics resources</h2>
   compares the two analytics services.</p>
 </li>
 </ul>
+<h2>Web analytics learning checklist</h2>
+<p><i class="fa fa-check-square-o"></i>
+Add Google Analytics or Piwik to your application. Both are free and while 
+Piwik is not as powerful as Google Analytics you can self-host the application
+which is the only option in many environments.</p>
+<p><i class="fa fa-check-square-o"></i>
+Think critically about the factors that will make your application successful.
+These factors will vary based on whether it's an internal enterprise app, 
+an e-commerce site or an information-based application.</p>
+<p><i class="fa fa-check-square-o"></i>
+Add metrics generated from your web traffic based on the factors that drive
+your application's success. You can add these metrics with either some custom
+code or with a hosted web analytics service.</p>
+<p><i class="fa fa-check-square-o"></i>
+Continuously reevaluate whether the metrics you've chosen are still the 
+appropriate ones defining your application's success. Improve and refine the
+metrics generated by the web analytics as necessary.</p>
 <h3>What's the next topic you want to learn about?</h3>
                   <div class="row">
     <div class="col-md-3">
diff --git a/web-application-security.html b/web-application-security.html
@@ -90,6 +90,28 @@ <h2>Security Resources</h2>
   specification.</p>
 </li>
 </ul>
+<h2>Web security learning checklist</h2>
+<p><i class="fa fa-check-square-o"></i>
+Read and understand the major web application security flaws that are
+commonly exploited by malicious actors. These include cross-site request 
+forgery (CSRF), cross-site scripting (XSS), SQL injection and session 
+hijacking. The 
+<a href="https://www.owasp.org/index.php/Top_10_2013-Top_10">OWASP top 10 web application vulnerabilities list</a> 
+is a great place to get an overview of these topics.</p>
+<p><i class="fa fa-check-square-o"></i>
+Determine how the framework you've chosen mitigates these vulnerabilities.</p>
+<p><i class="fa fa-check-square-o"></i>
+Ensure your code implements the mitigation techniques for your framework. </p>
+<p><i class="fa fa-check-square-o"></i>
+Think like an attacker and actively work to break into your own system. If
+you do not have enough experience to confidently break the security consider
+hiring a known white hat attacker. Have her break the application's security,
+report the easiest vulnerabilities to exploit in your app and help implement
+protections against those weaknesses.</p>
+<p><i class="fa fa-check-square-o"></i>
+Recognize that no system is ever totally secure. However, the more popular
+an application becomes the more attractive a target it is to attackers.
+Reevaluate your web application security on a frequent basis.</p>
 <h3>What topic do you want to learn about next?</h3>
                   <div class="row">
     <div class="col-md-3">
@@ -119,9 +141,9 @@ <h3>What topic do you want to learn about next?</h3>
     </div>
         <div class="col-md-3">
         <div class="well select-next">
-            <a href="/monitoring.html" class="btn btn-success btn-full"><i class="fa fa-bar-chart-o fa-inverse fa-2x"></i></a>
+            <a href="/about-author.html" class="btn btn-success btn-full"><i class="fa fa-user fa-2x"></i></a>
             <p class="under-btn">
-                What tools should I use for monitoring the live web app?
+                Who created Full Stack Python?
             </p>
         </div>
     </div>

Original file line number	Diff line number	Diff line change
`@@ -1,2 +1,2 @@`
`1`	`1`	`<?xml version="1.0" encoding="utf-8"?>`
`2`		`-<feed xmlns="http://www.w3.org/2005/Atom"><title>Matt Makai</title><link href="http://www.fullstackpython.com/" rel="alternate"></link><link href="http://www.fullstackpython.com/feeds/all.atom.xml" rel="self"></link><id>http://www.fullstackpython.com/</id><updated>2014-06-01T09:42:21Z</updated></feed>`
	`2`	`+<feed xmlns="http://www.w3.org/2005/Atom"><title>Matt Makai</title><link href="http://www.fullstackpython.com/" rel="alternate"></link><link href="http://www.fullstackpython.com/feeds/all.atom.xml" rel="self"></link><id>http://www.fullstackpython.com/</id><updated>2014-06-01T10:03:41Z</updated></feed>`