ALICE AND BOB LEARN APPLICATION SECURITY
- INDIANAPOLIS WILEY 2021
- xxvi, 257
Alice and Bob Learn Application Security is an accessible and thorough resource for anyone seeking to incorporate, from the beginning of the System Development Life Cycle, best security practices in software development. This book covers all the basic subjects such as threat modeling and security testing, but also dives deep into more complex and advanced topics for securing modern software systems and architectures. Throughout, the book offers analogies, stories of the characters Alice and Bob, real-life examples, technical explanations and diagrams to ensure maximum clarity of the many abstract and complicated subjects.
Topics include:
Secure requirements, design, coding, and deployment Security Testing (all forms) Common Pitfalls Application Security Programs Securing Modern Applications Software Developer Security Hygiene Alice and Bob Learn Application Security is perfect for aspiring application security engineers and practicing software developers, as well as software project managers, penetration testers, and chief information security officers who seek to build or improve their application security programs.
Alice and Bob Learn Application Security illustrates all the included concepts with easy-to-understand examples and concrete practical applications, furthering the reader's ability to grasp and retain the foundational and advanced topics contained within.
Part I What You Must Know to Write Code Safe Enough to Put on the Internet 1
Chapter 1 Security Fundamentals 3
The Security Mandate: CIA 3
Confidentiality 4
Integrity 5
Availability 5
Assume Breach 7
Insider Threats 8
Defense in Depth 9
Least Privilege 11
Supply Chain Security 11
Security by Obscurity 13
Attack Surface Reduction 14
Hard Coding 15
Never Trust, Always Verify 15
Usable Security 17
Factors of Authentication 18
Exercises 20
Chapter 2 Security Requirements 21
Requirements 22
Encryption 23
Never Trust System Input 24
Encoding and Escaping 28
Third-Party Components 29
Security Headers: Seatbelts for Web Apps 31
Security Headers in Action 32
X-XSS-Protection 32
Content-Security-Policy (CSP) 32
X-Frame-Options 35
X-Content-Type-Options 36
Referrer-Policy 36
Strict-Transport-Security (HSTS) 37
Feature-Policy 38
X-Permitted-Cross-Domain-Policies 39
Expect-CT 39
Public Key Pinning Extension for HTTP (HPKP) 41
Securing Your Cookies 42
The Secure Flag 42
The HttpOnly Flag 42
Persistence 43
Domain 43
Path 44
Same-Site 44
Cookie Prefixes 45
Data Privacy 45
Data Classification 45
Passwords, Storage, and Other Important Decisions 46
HTTPS Everywhere 52
TLS Settings 53
Comments 54
Backup and Rollback 54
Framework Security Features 54
Technical Debt = Security Debt 55
File Uploads 56
Errors and Logging 57
Input Validation and Sanitization 58
Authorization and Authentication 59
Parameterized Queries 59
URL Parameters 60
Least Privilege 60
Requirements Checklist 61
Exercises 63
Chapter 3 Secure Design 65
Design Flaw vs. Security Bug 66
Discovering a Flaw Late 67
Pushing Left 68
Secure Design Concepts 68
Protecting Sensitive Data 68
Never Trust, Always Verify/Zero Trust/Assume Breach 70
Backup and Rollback 71
Server-Side Security Validation 73
Framework Security Features 74
Security Function Isolation 74
Application Partitioning 75
Secret Management 76
Re-authentication for Transactions (Avoiding CSRF) 76
Segregation of Production Data 77
Protection of Source Code 77
Threat Modeling 78
Exercises 82
Chapter 4 Secure Code 83
Selecting Your Framework and Programming Language 83
Example #1 85
Example #2 85
Example #3 86
Programming Languages and Frameworks: The Rule 87
Untrusted Data 87
HTTP Verbs 89
Identity 90
Session Management 91
Bounds Checking 93
Authentication (AuthN) 94
Authorization (AuthZ) 96
Error Handling, Logging, and Monitoring 99
Rules for Errors 100
Logging 100
Monitoring 101
Exercises 103
Chapter 5 Common Pitfalls 105
OWASP 105
Defenses and Vulnerabilities Not Previously Covered 109
Cross-Site Request Forgery 110
Server-Side Request Forgery 112
Deserialization 114
Race Conditions 115
Closing Comments 117
Exercises 117
Part II What You Should Do to Create Very Good Code 119
Chapter 6 Testing and Deployment 121
Testing Your Code 121
Code Review 122
Static Application Security Testing (SAST) 123
Software Composition Analysis (SCA) 125
Unit Tests 126
Infrastructure as Code (IaC) and Security as Code (SaC) 128