MARC details
| 000 -LEADER |
|---|
| fixed length control field |
09600nam a2200193 4500 |
| 020 ## - INTERNATIONAL STANDARD BOOK NUMBER |
|---|
| International Standard Book Number |
9781119687351 |
| 082 ## - DEWEY DECIMAL CLASSIFICATION NUMBER |
|---|
| Classification number |
005.8 |
| Item number |
1 |
| 100 ## - MAIN ENTRY--PERSONAL NAME |
|---|
| Personal name |
JANCA, TANYA |
| 245 ## - TITLE STATEMENT |
|---|
| Title |
ALICE AND BOB LEARN APPLICATION SECURITY |
| 260 ## - PUBLICATION, DISTRIBUTION, ETC. |
|---|
| Place of publication, distribution, etc. |
INDIANAPOLIS |
| Name of publisher, distributor, etc. |
WILEY |
| Date of publication, distribution, etc. |
2021 |
| 300 ## - PHYSICAL DESCRIPTION |
|---|
| Extent |
xxvi, 257 |
| 500 ## - GENERAL NOTE |
|---|
| General note |
Alice and Bob Learn Application Security is an accessible and thorough resource for anyone seeking to incorporate, from the beginning of the System Development Life Cycle, best security practices in software development. This book covers all the basic subjects such as threat modeling and security testing, but also dives deep into more complex and advanced topics for securing modern software systems and architectures. Throughout, the book offers analogies, stories of the characters Alice and Bob, real-life examples, technical explanations and diagrams to ensure maximum clarity of the many abstract and complicated subjects.<br/><br/>Topics include:<br/><br/>Secure requirements, design, coding, and deployment<br/>Security Testing (all forms)<br/>Common Pitfalls<br/>Application Security Programs<br/>Securing Modern Applications<br/>Software Developer Security Hygiene<br/>Alice and Bob Learn Application Security is perfect for aspiring application security engineers and practicing software developers, as well as software project managers, penetration testers, and chief information security officers who seek to build or improve their application security programs.<br/><br/>Alice and Bob Learn Application Security illustrates all the included concepts with easy-to-understand examples and concrete practical applications, furthering the reader's ability to grasp and retain the foundational and advanced topics contained within. |
| 520 ## - SUMMARY, ETC. |
|---|
| Summary, etc. |
Part I What You Must Know to Write Code Safe Enough to Put on the Internet 1<br/><br/>Chapter 1 Security Fundamentals 3<br/><br/>The Security Mandate: CIA 3<br/><br/>Confidentiality 4<br/><br/>Integrity 5<br/><br/>Availability 5<br/><br/>Assume Breach 7<br/><br/>Insider Threats 8<br/><br/>Defense in Depth 9<br/><br/>Least Privilege 11<br/><br/>Supply Chain Security 11<br/><br/>Security by Obscurity 13<br/><br/>Attack Surface Reduction 14<br/><br/>Hard Coding 15<br/><br/>Never Trust, Always Verify 15<br/><br/>Usable Security 17<br/><br/>Factors of Authentication 18<br/><br/>Exercises 20<br/><br/>Chapter 2 Security Requirements 21<br/><br/>Requirements 22<br/><br/>Encryption 23<br/><br/>Never Trust System Input 24<br/><br/>Encoding and Escaping 28<br/><br/>Third-Party Components 29<br/><br/>Security Headers: Seatbelts for Web Apps 31<br/><br/>Security Headers in Action 32<br/><br/>X-XSS-Protection 32<br/><br/>Content-Security-Policy (CSP) 32<br/><br/>X-Frame-Options 35<br/><br/>X-Content-Type-Options 36<br/><br/>Referrer-Policy 36<br/><br/>Strict-Transport-Security (HSTS) 37<br/><br/>Feature-Policy 38<br/><br/>X-Permitted-Cross-Domain-Policies 39<br/><br/>Expect-CT 39<br/><br/>Public Key Pinning Extension for HTTP (HPKP) 41<br/><br/>Securing Your Cookies 42<br/><br/>The Secure Flag 42<br/><br/>The HttpOnly Flag 42<br/><br/>Persistence 43<br/><br/>Domain 43<br/><br/>Path 44<br/><br/>Same-Site 44<br/><br/>Cookie Prefixes 45<br/><br/>Data Privacy 45<br/><br/>Data Classification 45<br/><br/>Passwords, Storage, and Other Important Decisions 46<br/><br/>HTTPS Everywhere 52<br/><br/>TLS Settings 53<br/><br/>Comments 54<br/><br/>Backup and Rollback 54<br/><br/>Framework Security Features 54<br/><br/>Technical Debt = Security Debt 55<br/><br/>File Uploads 56<br/><br/>Errors and Logging 57<br/><br/>Input Validation and Sanitization 58<br/><br/>Authorization and Authentication 59<br/><br/>Parameterized Queries 59<br/><br/>URL Parameters 60<br/><br/>Least Privilege 60<br/><br/>Requirements Checklist 61<br/><br/>Exercises 63<br/><br/>Chapter 3 Secure Design 65<br/><br/>Design Flaw vs. Security Bug 66<br/><br/>Discovering a Flaw Late 67<br/><br/>Pushing Left 68<br/><br/>Secure Design Concepts 68<br/><br/>Protecting Sensitive Data 68<br/><br/>Never Trust, Always Verify/Zero Trust/Assume Breach 70<br/><br/>Backup and Rollback 71<br/><br/>Server-Side Security Validation 73<br/><br/>Framework Security Features 74<br/><br/>Security Function Isolation 74<br/><br/>Application Partitioning 75<br/><br/>Secret Management 76<br/><br/>Re-authentication for Transactions (Avoiding CSRF) 76<br/><br/>Segregation of Production Data 77<br/><br/>Protection of Source Code 77<br/><br/>Threat Modeling 78<br/><br/>Exercises 82<br/><br/>Chapter 4 Secure Code 83<br/><br/>Selecting Your Framework and Programming Language 83<br/><br/>Example #1 85<br/><br/>Example #2 85<br/><br/>Example #3 86<br/><br/>Programming Languages and Frameworks: The Rule 87<br/><br/>Untrusted Data 87<br/><br/>HTTP Verbs 89<br/><br/>Identity 90<br/><br/>Session Management 91<br/><br/>Bounds Checking 93<br/><br/>Authentication (AuthN) 94<br/><br/>Authorization (AuthZ) 96<br/><br/>Error Handling, Logging, and Monitoring 99<br/><br/>Rules for Errors 100<br/><br/>Logging 100<br/><br/>Monitoring 101<br/><br/>Exercises 103<br/><br/>Chapter 5 Common Pitfalls 105<br/><br/>OWASP 105<br/><br/>Defenses and Vulnerabilities Not Previously Covered 109<br/><br/>Cross-Site Request Forgery 110<br/><br/>Server-Side Request Forgery 112<br/><br/>Deserialization 114<br/><br/>Race Conditions 115<br/><br/>Closing Comments 117<br/><br/>Exercises 117<br/><br/>Part II What You Should Do to Create Very Good Code 119<br/><br/>Chapter 6 Testing and Deployment 121<br/><br/>Testing Your Code 121<br/><br/>Code Review 122<br/><br/>Static Application Security Testing (SAST) 123<br/><br/>Software Composition Analysis (SCA) 125<br/><br/>Unit Tests 126<br/><br/>Infrastructure as Code (IaC) and Security as Code (SaC) 128<br/><br/>Testing Your Application 129<br/><br/>Manual Testing 130<br/><br/>Browsers 131<br/><br/>Developer Tools 131<br/><br/>Web Proxies 132<br/><br/>Fuzzing 133<br/><br/>Dynamic Application Security Testing (DAST) 133<br/><br/>VA/Security Assessment/PenTest 135<br/><br/>Testing Your Infrastructure 141<br/><br/>Testing Your Database 141<br/><br/>Testing Your APIs and Web Services 142<br/><br/>Testing Your Integrations 143<br/><br/>Testing Your Network 144<br/><br/>Deployment 145<br/><br/>Editing Code Live on a Server 146<br/><br/>Publishing from an IDE 146<br/><br/>“Homemade” Deployment Systems 147<br/><br/>Run Books 148<br/><br/>Contiguous Integration/Continuous Delivery/Continuous Deployment 148<br/><br/>Exercises 149<br/><br/>Chapter 7 An AppSec Program 151<br/><br/>Application Security Program Goals 152<br/><br/>Creating and Maintaining an Application Inventory 153<br/><br/>Capability to Find Vulnerabilities in Written, Running, and Third-Party Code 153<br/><br/>Knowledge and Resources to Fix the Vulnerabilities 154<br/><br/>Education and Reference Materials 155<br/><br/>Providing Developers with Security Tools 155<br/><br/>Having One or More Security Activities During Each Phase of Your SDLC 156<br/><br/>Implementing Useful and Effective Tooling 157<br/><br/>An Incident Response Team That Knows When to Call You 157<br/><br/>Continuously Improve Your Program Based on Metrics, Experimentation, and Feedback 159<br/><br/>Metrics 159<br/><br/>Experimentation 161<br/><br/>Feedback from Any and All Stakeholders 161<br/><br/>A Special Note on DevOps and Agile 162<br/><br/>Application Security Activities 162<br/><br/>Application Security Tools 164<br/><br/>Your Application Security Program 165<br/><br/>Exercises 166<br/><br/>Chapter 8 Securing Modern Applications and Systems 167<br/><br/>APIs and Microservices 168<br/><br/>Online Storage 171<br/><br/>Containers and Orchestration 172<br/><br/>Serverless 174<br/><br/>Infrastructure as Code (IaC) 175<br/><br/>Security as Code (SaC) 177<br/><br/>Platform as a Service (PaaS) 178<br/><br/>Infrastructure as a Service (IaaS) 179<br/><br/>Continuous Integration/Delivery/Deployment 180<br/><br/>Dev(Sec)Ops 180<br/><br/>DevSecOps 182<br/><br/>The Cloud 183<br/><br/>Cloud Computing 183<br/><br/>Cloud Native 184<br/><br/>Cloud Native Security 185<br/><br/>Cloud Workflows 185<br/><br/>Modern Tooling 186<br/><br/>IAST Interactive Application Security Testing 186<br/><br/>Runtime Application Security Protection 187<br/><br/>File Integrity Monitoring 187<br/><br/>Application Control Tools (Approved Software Lists) 187<br/><br/>Security Tools Created for DevOps Pipelines 188<br/><br/>Application Inventory Tools 188<br/><br/>Least Privilege and Other Policy Automation 189<br/><br/>Modern Tactics 189<br/><br/>Summary 191<br/><br/>Exercises 191<br/><br/>Part III Helpful Information on How to Continue to Create Very Good Code 193<br/><br/>Chapter 9 Good Habits 195<br/><br/>Password Management 196<br/><br/>Remove Password Complexity Rules 196<br/><br/>Use a Password Manager 197<br/><br/>Passphrases 198<br/><br/>Don’t Reuse Passwords 198<br/><br/>Do Not Implement Password Rotation 199<br/><br/>Multi-Factor Authentication 199<br/><br/>Incident Response 200<br/><br/>Fire Drills 201<br/><br/>Continuous Scanning 202<br/><br/>Technical Debt 202<br/><br/>Inventory 203<br/><br/>Other Good Habits 204<br/><br/>Policies 204<br/><br/>Downloads and Devices 204<br/><br/>Lock Your Machine 204<br/><br/>Privacy 205<br/><br/>Summary 206<br/><br/>Exercises 206<br/><br/>Chapter 10 Continuous Learning 207<br/><br/>What to Learn 208<br/><br/>Offensive = Defensive 208<br/><br/>Don’t Forget Soft Skills 208<br/><br/>Leadership != Management 209<br/><br/>Learning Options 209<br/><br/>Accountability 212<br/><br/>Create Your Plan 213<br/><br/>Take Action 214<br/><br/>Exercises 214<br/><br/>Learning Plan 216<br/><br/>Chapter 11 Closing Thoughts 217<br/><br/>Lingering Questions 218<br/><br/>When Have You Done Enough? 218<br/><br/>How Do You Get Management on Board? 220<br/><br/>How Do You Get Developers on Board? 221<br/><br/>Where Do You Start? 222<br/><br/>Where Do You Get Help? 223<br/><br/>Conclusion 223<br/><br/>Appendix A Resources 225<br/><br/>Introduction 225<br/><br/>Chapter 1: Security Fundamentals 225<br/><br/>Chapter 2: Security Requirements 226<br/><br/>Chapter 3: Secure Design 227<br/><br/>Chapter 4: Secure Code 228<br/><br/>Chapter 5: Common Pitfalls 228<br/><br/>Chapter 6: Testing and Deployment 229<br/><br/>Chapter 7: An AppSec Program 229<br/><br/>Chapter 8: Securing Modern Applications and Systems 230<br/><br/>Chapter 9: Good Habits 231<br/><br/>Chapter 10: Continuous Learning 231<br/><br/>Appendix B Answer Key 233<br/><br/>Chapter 1: Security Fundamentals 233<br/><br/>Chapter 2: Security Requirements 235<br/><br/>Chapter 3: Secure Design 236<br/><br/>Chapter 4: Secure Code 238<br/><br/>Chapter 5: Common Pitfalls 241<br/><br/>Chapter 6: Testing and Deployment 242<br/><br/>Chapter 7: An AppSec Program 244<br/><br/>Chapter 8: Securing Modern Applications and Systems 245<br/><br/>Chapter 9: Good Habits 247<br/><br/>Chapter 10: Continuous Learning 248<br/><br/>Index 249 |
| 521 ## - TARGET AUDIENCE NOTE |
|---|
| Target audience note |
CMPN |
| 546 ## - LANGUAGE NOTE |
|---|
| Language note |
ENGLISH |
| 650 ## - SUBJECT ADDED ENTRY--TOPICAL TERM |
|---|
| Source of heading or term |
DEWEY DECIMAL CLASSIFICATION |
| Topical term or geographic name entry element |
COMPUTER SECURITY |
| 856 ## - ELECTRONIC LOCATION AND ACCESS |
|---|
| Uniform Resource Identifier |
https://www.youtube.com/watch?v=CpfWbqLEoHo |
| 942 ## - ADDED ENTRY ELEMENTS (KOHA) |
|---|
| Source of classification or shelving scheme |
Dewey Decimal Classification |
| Koha item type |
Book |
