Circulation Privilege for	No.
UG Students (FE to BE)	6
PG Students M.E. Ph.D.	6 2
Faculty	10
Staff	5

Fine Rule for Students	Days	Rs.
Per Day Fine	After Due Date	2

Image from Amazon.com

Normal view MARC view ISBD view

ALICE AND BOB LEARN APPLICATION SECURITY

By:

JANCA, TANYA

Material type: Text

TextPublication details: INDIANAPOLIS WILEY 2021Description: xxvi, 257ISBN:

9781119687351

Subject(s):

COMPUTER SECURITY

DDC classification:

005.8 1

Online resources:

Click here to access online

Summary: Part I What You Must Know to Write Code Safe Enough to Put on the Internet 1 Chapter 1 Security Fundamentals 3 The Security Mandate: CIA 3 Confidentiality 4 Integrity 5 Availability 5 Assume Breach 7 Insider Threats 8 Defense in Depth 9 Least Privilege 11 Supply Chain Security 11 Security by Obscurity 13 Attack Surface Reduction 14 Hard Coding 15 Never Trust, Always Verify 15 Usable Security 17 Factors of Authentication 18 Exercises 20 Chapter 2 Security Requirements 21 Requirements 22 Encryption 23 Never Trust System Input 24 Encoding and Escaping 28 Third-Party Components 29 Security Headers: Seatbelts for Web Apps 31 Security Headers in Action 32 X-XSS-Protection 32 Content-Security-Policy (CSP) 32 X-Frame-Options 35 X-Content-Type-Options 36 Referrer-Policy 36 Strict-Transport-Security (HSTS) 37 Feature-Policy 38 X-Permitted-Cross-Domain-Policies 39 Expect-CT 39 Public Key Pinning Extension for HTTP (HPKP) 41 Securing Your Cookies 42 The Secure Flag 42 The HttpOnly Flag 42 Persistence 43 Domain 43 Path 44 Same-Site 44 Cookie Prefixes 45 Data Privacy 45 Data Classification 45 Passwords, Storage, and Other Important Decisions 46 HTTPS Everywhere 52 TLS Settings 53 Comments 54 Backup and Rollback 54 Framework Security Features 54 Technical Debt = Security Debt 55 File Uploads 56 Errors and Logging 57 Input Validation and Sanitization 58 Authorization and Authentication 59 Parameterized Queries 59 URL Parameters 60 Least Privilege 60 Requirements Checklist 61 Exercises 63 Chapter 3 Secure Design 65 Design Flaw vs. Security Bug 66 Discovering a Flaw Late 67 Pushing Left 68 Secure Design Concepts 68 Protecting Sensitive Data 68 Never Trust, Always Verify/Zero Trust/Assume Breach 70 Backup and Rollback 71 Server-Side Security Validation 73 Framework Security Features 74 Security Function Isolation 74 Application Partitioning 75 Secret Management 76 Re-authentication for Transactions (Avoiding CSRF) 76 Segregation of Production Data 77 Protection of Source Code 77 Threat Modeling 78 Exercises 82 Chapter 4 Secure Code 83 Selecting Your Framework and Programming Language 83 Example #1 85 Example #2 85 Example #3 86 Programming Languages and Frameworks: The Rule 87 Untrusted Data 87 HTTP Verbs 89 Identity 90 Session Management 91 Bounds Checking 93 Authentication (AuthN) 94 Authorization (AuthZ) 96 Error Handling, Logging, and Monitoring 99 Rules for Errors 100 Logging 100 Monitoring 101 Exercises 103 Chapter 5 Common Pitfalls 105 OWASP 105 Defenses and Vulnerabilities Not Previously Covered 109 Cross-Site Request Forgery 110 Server-Side Request Forgery 112 Deserialization 114 Race Conditions 115 Closing Comments 117 Exercises 117 Part II What You Should Do to Create Very Good Code 119 Chapter 6 Testing and Deployment 121 Testing Your Code 121 Code Review 122 Static Application Security Testing (SAST) 123 Software Composition Analysis (SCA) 125 Unit Tests 126 Infrastructure as Code (IaC) and Security as Code (SaC) 128 Testing Your Application 129 Manual Testing 130 Browsers 131 Developer Tools 131 Web Proxies 132 Fuzzing 133 Dynamic Application Security Testing (DAST) 133 VA/Security Assessment/PenTest 135 Testing Your Infrastructure 141 Testing Your Database 141 Testing Your APIs and Web Services 142 Testing Your Integrations 143 Testing Your Network 144 Deployment 145 Editing Code Live on a Server 146 Publishing from an IDE 146 “Homemade” Deployment Systems 147 Run Books 148 Contiguous Integration/Continuous Delivery/Continuous Deployment 148 Exercises 149 Chapter 7 An AppSec Program 151 Application Security Program Goals 152 Creating and Maintaining an Application Inventory 153 Capability to Find Vulnerabilities in Written, Running, and Third-Party Code 153 Knowledge and Resources to Fix the Vulnerabilities 154 Education and Reference Materials 155 Providing Developers with Security Tools 155 Having One or More Security Activities During Each Phase of Your SDLC 156 Implementing Useful and Effective Tooling 157 An Incident Response Team That Knows When to Call You 157 Continuously Improve Your Program Based on Metrics, Experimentation, and Feedback 159 Metrics 159 Experimentation 161 Feedback from Any and All Stakeholders 161 A Special Note on DevOps and Agile 162 Application Security Activities 162 Application Security Tools 164 Your Application Security Program 165 Exercises 166 Chapter 8 Securing Modern Applications and Systems 167 APIs and Microservices 168 Online Storage 171 Containers and Orchestration 172 Serverless 174 Infrastructure as Code (IaC) 175 Security as Code (SaC) 177 Platform as a Service (PaaS) 178 Infrastructure as a Service (IaaS) 179 Continuous Integration/Delivery/Deployment 180 Dev(Sec)Ops 180 DevSecOps 182 The Cloud 183 Cloud Computing 183 Cloud Native 184 Cloud Native Security 185 Cloud Workflows 185 Modern Tooling 186 IAST Interactive Application Security Testing 186 Runtime Application Security Protection 187 File Integrity Monitoring 187 Application Control Tools (Approved Software Lists) 187 Security Tools Created for DevOps Pipelines 188 Application Inventory Tools 188 Least Privilege and Other Policy Automation 189 Modern Tactics 189 Summary 191 Exercises 191 Part III Helpful Information on How to Continue to Create Very Good Code 193 Chapter 9 Good Habits 195 Password Management 196 Remove Password Complexity Rules 196 Use a Password Manager 197 Passphrases 198 Don’t Reuse Passwords 198 Do Not Implement Password Rotation 199 Multi-Factor Authentication 199 Incident Response 200 Fire Drills 201 Continuous Scanning 202 Technical Debt 202 Inventory 203 Other Good Habits 204 Policies 204 Downloads and Devices 204 Lock Your Machine 204 Privacy 205 Summary 206 Exercises 206 Chapter 10 Continuous Learning 207 What to Learn 208 Offensive = Defensive 208 Don’t Forget Soft Skills 208 Leadership != Management 209 Learning Options 209 Accountability 212 Create Your Plan 213 Take Action 214 Exercises 214 Learning Plan 216 Chapter 11 Closing Thoughts 217 Lingering Questions 218 When Have You Done Enough? 218 How Do You Get Management on Board? 220 How Do You Get Developers on Board? 221 Where Do You Start? 222 Where Do You Get Help? 223 Conclusion 223 Appendix A Resources 225 Introduction 225 Chapter 1: Security Fundamentals 225 Chapter 2: Security Requirements 226 Chapter 3: Secure Design 227 Chapter 4: Secure Code 228 Chapter 5: Common Pitfalls 228 Chapter 6: Testing and Deployment 229 Chapter 7: An AppSec Program 229 Chapter 8: Securing Modern Applications and Systems 230 Chapter 9: Good Habits 231 Chapter 10: Continuous Learning 231 Appendix B Answer Key 233 Chapter 1: Security Fundamentals 233 Chapter 2: Security Requirements 235 Chapter 3: Secure Design 236 Chapter 4: Secure Code 238 Chapter 5: Common Pitfalls 241 Chapter 6: Testing and Deployment 242 Chapter 7: An AppSec Program 244 Chapter 8: Securing Modern Applications and Systems 245 Chapter 9: Good Habits 247 Chapter 10: Continuous Learning 248 Index 249

Item type:

Book List(s) this item appears in: OCTOBER 2023 TO MARCH 2024

Tags from this library: No tags from this library for this title. Log in to add tags.

Average rating: 0.0 (0 votes)

Holdings ( 1 )
Title notes ( 4 )
Comments ( 0 )

Holdings
Item type	Current library	Collection	Shelving location	Call number	Copy number	Status	Notes	Date due	Barcode	Item holds
Book	ST. FRANCIS INSTITUTE OF TECHNOLOGY	Text Books	REFERENCE SECTION	005.8/JAN (Browse shelf(Opens below))	1	Checked out to PRADHNYA PRADHAN (230016)	COMPUTER SECURITY	28/06/2024	29696

Total holds: 0

Alice and Bob Learn Application Security is an accessible and thorough resource for anyone seeking to incorporate, from the beginning of the System Development Life Cycle, best security practices in software development. This book covers all the basic subjects such as threat modeling and security testing, but also dives deep into more complex and advanced topics for securing modern software systems and architectures. Throughout, the book offers analogies, stories of the characters Alice and Bob, real-life examples, technical explanations and diagrams to ensure maximum clarity of the many abstract and complicated subjects.

Topics include:

Secure requirements, design, coding, and deployment
Security Testing (all forms)
Common Pitfalls
Application Security Programs
Securing Modern Applications
Software Developer Security Hygiene
Alice and Bob Learn Application Security is perfect for aspiring application security engineers and practicing software developers, as well as software project managers, penetration testers, and chief information security officers who seek to build or improve their application security programs.

Alice and Bob Learn Application Security illustrates all the included concepts with easy-to-understand examples and concrete practical applications, furthering the reader's ability to grasp and retain the foundational and advanced topics contained within.

Part I What You Must Know to Write Code Safe Enough to Put on the Internet 1

Chapter 1 Security Fundamentals 3

The Security Mandate: CIA 3

Confidentiality 4

Integrity 5

Availability 5

Assume Breach 7

Insider Threats 8

Defense in Depth 9

Least Privilege 11

Supply Chain Security 11

Security by Obscurity 13

Attack Surface Reduction 14

Hard Coding 15

Never Trust, Always Verify 15

Usable Security 17

Factors of Authentication 18

Exercises 20

Chapter 2 Security Requirements 21

Requirements 22

Encryption 23

Never Trust System Input 24

Encoding and Escaping 28

Third-Party Components 29

Security Headers: Seatbelts for Web Apps 31

Security Headers in Action 32

X-XSS-Protection 32

Content-Security-Policy (CSP) 32

X-Frame-Options 35

X-Content-Type-Options 36

Referrer-Policy 36

Strict-Transport-Security (HSTS) 37

Feature-Policy 38

X-Permitted-Cross-Domain-Policies 39

Expect-CT 39

Public Key Pinning Extension for HTTP (HPKP) 41

Securing Your Cookies 42

The Secure Flag 42

The HttpOnly Flag 42

Persistence 43

Domain 43

Path 44

Same-Site 44

Cookie Prefixes 45

Data Privacy 45

Data Classification 45

Passwords, Storage, and Other Important Decisions 46

HTTPS Everywhere 52

TLS Settings 53

Comments 54

Backup and Rollback 54

Framework Security Features 54

Technical Debt = Security Debt 55

File Uploads 56

Errors and Logging 57

Input Validation and Sanitization 58

Authorization and Authentication 59

Parameterized Queries 59

URL Parameters 60

Least Privilege 60

Requirements Checklist 61

Exercises 63

Chapter 3 Secure Design 65

Design Flaw vs. Security Bug 66

Discovering a Flaw Late 67

Pushing Left 68

Secure Design Concepts 68

Protecting Sensitive Data 68

Never Trust, Always Verify/Zero Trust/Assume Breach 70

Backup and Rollback 71

Server-Side Security Validation 73

Framework Security Features 74

Security Function Isolation 74

Application Partitioning 75

Secret Management 76

Re-authentication for Transactions (Avoiding CSRF) 76

Segregation of Production Data 77

Protection of Source Code 77

Threat Modeling 78

Exercises 82

Chapter 4 Secure Code 83

Selecting Your Framework and Programming Language 83

Example #1 85

Example #2 85

Example #3 86

Programming Languages and Frameworks: The Rule 87

Untrusted Data 87

HTTP Verbs 89

Identity 90

Session Management 91

Bounds Checking 93

Authentication (AuthN) 94

Authorization (AuthZ) 96

Error Handling, Logging, and Monitoring 99

Rules for Errors 100

Logging 100

Monitoring 101

Exercises 103

Chapter 5 Common Pitfalls 105

OWASP 105

Defenses and Vulnerabilities Not Previously Covered 109

Cross-Site Request Forgery 110

Server-Side Request Forgery 112

Deserialization 114

Race Conditions 115

Closing Comments 117

Exercises 117

Part II What You Should Do to Create Very Good Code 119

Chapter 6 Testing and Deployment 121

Testing Your Code 121

Code Review 122

Static Application Security Testing (SAST) 123

Software Composition Analysis (SCA) 125

Unit Tests 126

Infrastructure as Code (IaC) and Security as Code (SaC) 128

Testing Your Application 129

Manual Testing 130

Browsers 131

Developer Tools 131

Web Proxies 132

Fuzzing 133

Dynamic Application Security Testing (DAST) 133

VA/Security Assessment/PenTest 135

Testing Your Infrastructure 141

Testing Your Database 141

Testing Your APIs and Web Services 142

Testing Your Integrations 143

Testing Your Network 144

Deployment 145

Editing Code Live on a Server 146

Publishing from an IDE 146

“Homemade” Deployment Systems 147

Run Books 148

Contiguous Integration/Continuous Delivery/Continuous Deployment 148

Exercises 149

Chapter 7 An AppSec Program 151

Application Security Program Goals 152

Creating and Maintaining an Application Inventory 153

Capability to Find Vulnerabilities in Written, Running, and Third-Party Code 153

Knowledge and Resources to Fix the Vulnerabilities 154

Education and Reference Materials 155

Providing Developers with Security Tools 155

Having One or More Security Activities During Each Phase of Your SDLC 156

Implementing Useful and Effective Tooling 157

An Incident Response Team That Knows When to Call You 157

Continuously Improve Your Program Based on Metrics, Experimentation, and Feedback 159

Metrics 159

Experimentation 161

Feedback from Any and All Stakeholders 161

A Special Note on DevOps and Agile 162

Application Security Activities 162

Application Security Tools 164

Your Application Security Program 165

Exercises 166

Chapter 8 Securing Modern Applications and Systems 167

APIs and Microservices 168

Online Storage 171

Containers and Orchestration 172

Serverless 174

Infrastructure as Code (IaC) 175

Security as Code (SaC) 177

Platform as a Service (PaaS) 178

Infrastructure as a Service (IaaS) 179

Continuous Integration/Delivery/Deployment 180

Dev(Sec)Ops 180

DevSecOps 182

The Cloud 183

Cloud Computing 183

Cloud Native 184

Cloud Native Security 185

Cloud Workflows 185

Modern Tooling 186

IAST Interactive Application Security Testing 186

Runtime Application Security Protection 187

File Integrity Monitoring 187

Application Control Tools (Approved Software Lists) 187

Security Tools Created for DevOps Pipelines 188

Application Inventory Tools 188

Least Privilege and Other Policy Automation 189

Modern Tactics 189

Summary 191

Exercises 191

Part III Helpful Information on How to Continue to Create Very Good Code 193

Chapter 9 Good Habits 195

Password Management 196

Remove Password Complexity Rules 196

Use a Password Manager 197

Passphrases 198

Don’t Reuse Passwords 198

Do Not Implement Password Rotation 199

Multi-Factor Authentication 199

Incident Response 200

Fire Drills 201

Continuous Scanning 202

Technical Debt 202

Inventory 203

Other Good Habits 204

Policies 204

Downloads and Devices 204

Lock Your Machine 204

Privacy 205

Summary 206

Exercises 206

Chapter 10 Continuous Learning 207

What to Learn 208

Offensive = Defensive 208

Don’t Forget Soft Skills 208

Leadership != Management 209

Learning Options 209

Accountability 212

Create Your Plan 213

Take Action 214

Exercises 214

Learning Plan 216

Chapter 11 Closing Thoughts 217

Lingering Questions 218

When Have You Done Enough? 218

How Do You Get Management on Board? 220

How Do You Get Developers on Board? 221

Where Do You Start? 222

Where Do You Get Help? 223

Conclusion 223

Appendix A Resources 225

Introduction 225

Chapter 1: Security Fundamentals 225

Chapter 2: Security Requirements 226

Chapter 3: Secure Design 227

Chapter 4: Secure Code 228

Chapter 5: Common Pitfalls 228

Chapter 6: Testing and Deployment 229

Chapter 7: An AppSec Program 229

Chapter 8: Securing Modern Applications and Systems 230

Chapter 9: Good Habits 231

Chapter 10: Continuous Learning 231

Appendix B Answer Key 233

Chapter 1: Security Fundamentals 233

Chapter 2: Security Requirements 235

Chapter 3: Secure Design 236

Chapter 4: Secure Code 238

Chapter 5: Common Pitfalls 241

Chapter 6: Testing and Deployment 242

Chapter 7: An AppSec Program 244

Chapter 8: Securing Modern Applications and Systems 245

Chapter 9: Good Habits 247

Chapter 10: Continuous Learning 248

Index 249

CMPN

ENGLISH

There are no comments on this title.

to post a comment.