Alice and Bob learn application security
Learn application security from the very start, with this comprehensive and approachable guide! Alice and Bob Learn Application Security is an accessible and thorough resource for anyone seeking to incorporate, from the beginning of the System Development Life Cycle, best security practices in softw...
| Main Author: | |
|---|---|
| Format: | eBook |
| Language: | English |
| Published: |
Indianapolis, Indiana
John Wiley & Sons, Inc.
2021
|
| Subjects: | |
| Online Access: | |
| Collection: | O'Reilly - Collection details see MPG.ReNa |
Table of Contents:
- Cover
- Title Page
- Copyright Page
- About the Author
- About the Technical Editors
- Acknowledgments
- Contents at a Glance
- Contents
- Introduction
- Pushing Left
- About This Book
- Out-of-Scope Topics
- The Answer Key
- Part 1 What You Must Know to Write Code Safe Enough to Put on the Internet
- Chapter 1 Security Fundamentals
- The Security Mandate: CIA
- Confidentiality
- Integrity
- Availability
- Assume Breach
- Insider Threats
- Defense in Depth
- Least Privilege
- Supply Chain Security
- Security by Obscurity
- Attack Surface Reduction
- Hard Coding
- Discovering a Flaw Late
- Pushing Left
- Secure Design Concepts
- Protecting Sensitive Data
- Never Trust, Always Verify/Zero Trust/Assume Breach
- Backup and Rollback
- Server-Side Security Validation
- Framework Security Features
- Security Function Isolation
- Application Partitioning
- Secret Management
- Re-authentication for Transactions (Avoiding CSRF)
- Segregation of Production Data
- Protection of Source Code
- Threat Modeling
- Exercises
- Chapter 4 Secure Code
- Selecting Your Framework and Programming Language
- Example #1
- Example #2
- Example #3
- Programming Languages and Frameworks: The Rule
- Untrusted Data
- HTTP Verbs
- Identity
- Session Management
- Bounds Checking
- Authentication (AuthN)
- Authorization (AuthZ)
- Error Handling, Logging, and Monitoring
- Backups and Rollbacks
- Rules for Errors
- Logging
- Monitoring
- Exercises
- Chapter 5 Common Pitfalls
- OWASP
- Defenses and Vulnerabilities Not Previously Covered
- Cross-Site Request Forgery
- Server-Side Request Forgery
- Deserialization
- Race Conditions
- Closing Comments
- Exercises
- Part 2 What You Should Do to Create Very Good Code
- Never Trust, Always Verify
- Usable Security
- Factors of Authentication
- Exercises
- Chapter 2 Security Requirements
- Requirements
- Encryption
- Never Trust System Input
- Encoding and Escaping
- Third-Party Components
- Security Headers: Seatbelts for Web Apps
- Security Headers in Action
- X-XSS-Protection
- Content-Security-Policy (CSP)
- X-Frame-Options
- X-Content-Type-Options
- Referrer-Policy
- Strict-Transport-Security (HSTS)
- Feature-Policy
- X-Permitted-Cross-Domain-Policies
- Expect-CT
- Public Key Pinning Extension for HTTP (HPKP)
- Securing Your Cookies
- The Secure Flag
- The HttpOnly Flag
- Persistence
- Domain
- Path
- Same-Site
- Cookie Prefixes
- Data Privacy
- Data Classification
- Passwords, Storage, and Other Important Decisions
- HTTPS Everywhere
- TLS Settings
- Comments
- Backup and Rollback
- Framework Security Features
- Technical Debt = Security Debt
- File Uploads
- Errors and Logging
- Input Validation and Sanitization
- Authorization and Authentication
- Parameterized Queries
- URL Parameters
- Least Privilege
- Requirements Checklist
- Exercises
- Chapter 3 Secure Design
- Design Flaw vs. Security Bug