Alice and Bob Learn Application Security

Read more

Learn application security from the very start, with this comprehensive and approachable guide!
 
Alice and Bob Learn Application Security is an accessible and thorough resource for anyone seeking to incorporate, from the beginning of the System Development Life Cycle, best security practices in software development. This book covers all the basic subjects such as threat modeling and security testing, but also dives deep into more complex and advanced topics for securing modern software systems and architectures. Throughout, the book offers analogies, stories of the characters Alice and Bob, real-life examples, technical explanations and diagrams to ensure maximum clarity of the many abstract and complicated subjects.
 
Topics include:
* Secure requirements, design, coding, and deployment
* Security Testing (all forms)
* Common Pitfalls
* Application Security Programs
* Securing Modern Applications
* Software Developer Security Hygiene
 
Alice and Bob Learn Application Security is perfect for aspiring application security engineers and practicing software developers, as well as software project managers, penetration testers, and chief information security officers who seek to build or improve their application security programs.
 
Alice and Bob Learn Application Security illustrates all the included concepts with easy-to-understand examples and concrete practical applications, furthering the reader's ability to grasp and retain the foundational and advanced topics contained within.

List of contents

Foreword xxi
 
Introduction xxiii
 
Part I What You Must Know to Write Code Safe Enough to Put on the Internet 1
 
Chapter 1 Security Fundamentals 3
 
The Security Mandate: CIA 3
 
Confidentiality 4
 
Integrity 5
 
Availability 5
 
Assume Breach 7
 
Insider Threats 8
 
Defense in Depth 9
 
Least Privilege 11
 
Supply Chain Security 11
 
Security by Obscurity 13
 
Attack Surface Reduction 14
 
Hard Coding 15
 
Never Trust, Always Verify 15
 
Usable Security 17
 
Factors of Authentication 18
 
Exercises 20
 
Chapter 2 Security Requirements 21
 
Requirements 22
 
Encryption 23
 
Never Trust System Input 24
 
Encoding and Escaping 28
 
Third-Party Components 29
 
Security Headers: Seatbelts for Web Apps 31
 
Security Headers in Action 32
 
X-XSS-Protection 32
 
Content-Security-Policy (CSP) 32
 
X-Frame-Options 35
 
X-Content-Type-Options 36
 
Referrer-Policy 36
 
Strict-Transport-Security (HSTS) 37
 
Feature-Policy 38
 
X-Permitted-Cross-Domain-Policies 39
 
Expect-CT 39
 
Public Key Pinning Extension for HTTP (HPKP) 41
 
Securing Your Cookies 42
 
The Secure Flag 42
 
The HttpOnly Flag 42
 
Persistence 43
 
Domain 43
 
Path 44
 
Same-Site 44
 
Cookie Prefixes 45
 
Data Privacy 45
 
Data Classification 45
 
Passwords, Storage, and Other Important Decisions 46
 
HTTPS Everywhere 52
 
TLS Settings 53
 
Comments 54
 
Backup and Rollback 54
 
Framework Security Features 54
 
Technical Debt = Security Debt 55
 
File Uploads 56
 
Errors and Logging 57
 
Input Validation and Sanitization 58
 
Authorization and Authentication 59
 
Parameterized Queries 59
 
URL Parameters 60
 
Least Privilege 60
 
Requirements Checklist 61
 
Exercises 63
 
Chapter 3 Secure Design 65
 
Design Flaw vs. Security Bug 66
 
Discovering a Flaw Late 67
 
Pushing Left 68
 
Secure Design Concepts 68
 
Protecting Sensitive Data 68
 
Never Trust, Always Verify/Zero Trust/Assume Breach 70
 
Backup and Rollback 71
 
Server-Side Security Validation 73
 
Framework Security Features 74
 
Security Function Isolation 74
 
Application Partitioning 75
 
Secret Management 76
 
Re-authentication for Transactions (Avoiding CSRF) 76
 
Segregation of Production Data 77
 
Protection of Source Code 77
 
Threat Modeling 78
 
Exercises 82
 
Chapter 4 Secure Code 83
 
Selecting Your Framework and Programming Language 83
 
Example #1 85
 
Example #2 85
 
Example #3 86
 
Programming Languages and Frameworks: The Rule 87
 
Untrusted Data 87
 
HTTP Verbs 89
 
Identity 90
 
Session Management 91
 
Bounds Checking 93
 
Authentication (AuthN) 94
 
Authorization (AuthZ) 96
 
Error Handling, Logging, and Monitoring 99
 
Rules for Errors 100
 
Logging 100
 
Monitoring 101
 
Exercises 103
 
Chapter 5 Common Pitfalls 105
 
OWASP 105
 
Defenses and Vulnerabilities Not Previously Covered 109
 
Cross-Site Request Forgery 110
 
Server-Side Request Forgery 112
 
Deseri

About the author

Tanya Janca, also known as SheHacksPurple, is the founder of We Hack Purple, an online learning academy dedicated to teaching everyone how to create secure software. With over twenty years of IT and coding experience, she has won numerous awards and worked as a developer, pentester, and AppSec Engineer. She was named Hacker of the Year by the Cybersecurity Woman of the Year 2019 Awards and is the Founder of WoSEC International, #CyberMentoringMonday, and OWASP DevSlop.

Summary

Learn application security from the very start, with this comprehensive and approachable guide!

Alice and Bob Learn Application Security is an accessible and thorough resource for anyone seeking to incorporate, from the beginning of the System Development Life Cycle, best security practices in software development. This book covers all the basic subjects such as threat modeling and security testing, but also dives deep into more complex and advanced topics for securing modern software systems and architectures. Throughout, the book offers analogies, stories of the characters Alice and Bob, real-life examples, technical explanations and diagrams to ensure maximum clarity of the many abstract and complicated subjects.

Topics include:
* Secure requirements, design, coding, and deployment
* Security Testing (all forms)
* Common Pitfalls
* Application Security Programs
* Securing Modern Applications
* Software Developer Security Hygiene

Alice and Bob Learn Application Security is perfect for aspiring application security engineers and practicing software developers, as well as software project managers, penetration testers, and chief information security officers who seek to build or improve their application security programs.

Alice and Bob Learn Application Security illustrates all the included concepts with easy-to-understand examples and concrete practical applications, furthering the reader's ability to grasp and retain the foundational and advanced topics contained within.

Report

"Tanya knows her stuff. She has a huge depth of experience and expertise in application security, DevSecOps, and cloud security. We can all learn a ton of stuff from Tanya, so you should read her book!"
 
-Dafydd Stuttard, best-selling co-author of The Web Application Hacker's Handbook, creator of Burp Suite
 

"I learned so much from this book! Information security is truly everyone's job -- this book is a fantastic overview of the vast knowledge needed by everyone, from developer, infrastructure, security professionals, and so much more. Kudos to Ms. Janca for writing such an educational and practical primer. I loved the realistic stories that frame real-world problems, spanning everything from design, migrating applications from problematic frameworks, mitigating admin risks, and things that every modern developer needs to know."
 
-Gene Kim, bestselling author of The Unicorn Project, co-author of The Phoenix Project, DevOps Handbook, Accelerate
 

"Practical guidance for the modern era; Tanya does a great job of communicating current day thinking around AppSec in terms we can all relate to."
 
-Troy Hunt, creator of "Have I Been Pwned"