Today is National Buttermilk Biscuit Day. Biscuits fill me with joy, as do community integrations, so here's a post packed with deliciousness from amazing people in the Stormpath community. (First, here's an awesome biscuit recipe. Happy Biscuit Day!)

• CAS-Addons, now with Richer Stormpath Support
• Python Login Skeleton for Stormpath

...or How To Report Password Attacks

Reputation.com just reported a security breach to users, with the email below. There are some great takeaways here for reporting breaches to your users:

• Be specific and explicit about what data is compromised - I think the bullet point list is great. More companies should be this straightforward.
• Get on it immediately - their users heard about this before the media did. 
• Offer an incentive - a year of credit reporting is a nice thing when your personal data has been compromised.
• Immediately change the password of every user affected - users are fallable and don't check their email every minute so it's better not to wait on them.
• "Only the jurisdiction of North Dakota requires us to disclose information about this incident. However, out of an abundance of caution..." Yes. Reputation.com's contract is with the user, not with the state. Following the "letter of the law" in a password breach underserves your userbase. Legislation around data privacy is spotty. By going beyond the required transparency and contacting everyone, the company not only protected themselves, but started on the path of rebuilding trust with their users. (That said, pointing out to users that you don't have to tell them when you've been breached might not make you any friends).

A few things they could have done differently:

When we launched Alpha testing for Stormpath last year, there was a worthy debate about what would be the best signup flow. We wanted to ensure potential attackers wouldn’t be able to create dummy accounts and that we would be able to contact users reliably, but we also wanted an easy user experience. Signup workflows are fickle, hotly contested, and can present a security hole if you do them wrong, and we eat our own dog food and register users to Stormpath… using Stormpath. Figuring out signup best practices is important both for us and for our customers.

A few months ago, we upgraded the signup workflow. Despite asking for more information,the upgraded workflow increased our signup completion from 74% to 94%. Instantly. All we did was change the order of the four-step process.

Last week, amid the hoopla of our fundraising announcement, we ended Private Beta and released major enhancements to the API. Many of these came from user feedback.**

In the coming months, we will be building out the SDKs and sample apps to make it easier to connect to the Stormpath API. Of course, there are many features left to build, so anyone can now submit a feature request on our knowledge base or add stories to a request. 

Here's a sample of what was in last week's release:

CSO Online recently asked information and network security pros to name the best free software tools. Guess who made the list!

Didn't know we have a free edition? REST assured, any developer can use the Stormpath API for free. 

UK Authorities have just slapped Sony Playstation with a $400,000 fine for their massive password breach in 2011.

That $400k is nothing compared to the total cost. Sony reported an estimated outlay of $171M for insurance, customer support, and rebuilding their user management and security systems. Since the breach, partially due to a drop in customer confidence, Sony’s stock price has dropped from $30 to $13.

But, Sony was a Mega-Attack: 77 million expose records. An attack on your user database will probably only cost about $5.5M.

The team over at Unicon recently released an CAS AddOns Project, which handily includes integration with Stormpath as a primary authentication source for CAS servers. We have had a ton of requests from the Higher Ed IT community and our friends in DevOps for a Stormpath CAS integration. Its fantastic to see a solution rise out of the community, while we are working away on the core product and hiring like crazy. 

How it works:...

Welcome to our newest teammates!
Recruiting is in full swing here at the Death Star - Kelsey, Keli, Jose and Brent recently joined Team Stormpath. (Jose could not make the photo session, but found a very enthusiastic stand-in)

Know a great Java Engineer, DevOps Lead or UI Master? We have a big referral bonus for you! 

Password security - not the most exciting part of your app. Because its complicated to build well, time-consuming to maintain securely, and because attacks are escalating through cloud technologies, even big companies like Sony and LinkedIn take shortcuts that lead to major security breaches. However, this is incredibly foolhardy: the average cost of a data breach is more $5.5 Million. We want to lay out some best practices to show how password security should be done (from level 0 to 5, with 5 being the most secure), and maybe convince you that you don't want to take on that kind of risk yourself.

Level 0: No Plaintext Anywhere

A big, red flag should go up whenever you see a password in plaintext. While many will claim "no idiot would do this," Sony Playstation last year lost 1,000,000 of their passwords to a simple SQL injection attack, and Yahoo lost over 400,000 plaintext passwords this summer. Bad times.  Emails that "confirm account details" - with both username and password in plaintext - are actually less helpful to users than a simple, secure password reset workflow, and if you only need a simple user directory, you can set one up with Stormpath quickly. No plaintext in your database or your notifications! (We mean YOU, French National Bank!)

Level 1: Don't Just Hash It...

Designing and building a really clean and intuitive REST API is no small feat. You have to worry about resources, collections of resources, pagination, query parameters, references to other resources, which HTTP methods to use, HTTP caching, security, and more. And you have to make sure it lasts and doesn’t break clients as you add features over time. Furthermore, although there are many references on creating REST APIs with XML, there are far fewer references on REST + JSON. It is enough to drive you crazy. This session demonstrates how to design and implement an elegant REST API using JAX-RS and Jersey. 

You can find the sample application here: https://github.com/stormpath/todos-jersey

Presented by Les Hazlewood at JavaOne 2012