Details

Alice and Bob Learn Application Security


Alice and Bob Learn Application Security


1. Aufl.

von: Tanya Janca

33,99 €

Verlag: Wiley
Format: EPUB
Veröffentl.: 14.10.2020
ISBN/EAN: 9781119687405
Sprache: englisch
Anzahl Seiten: 288

DRM-geschütztes eBook, Sie benötigen z.B. Adobe Digital Editions und eine Adobe ID zum Lesen.

Beschreibungen

<p><b>Learn application security from the very start, with this comprehensive and approachable guide!</b></p> <p><i>Alice and Bob Learn Application Security</i> is an accessible and thorough resource for anyone seeking to incorporate, from the beginning of the System Development Life Cycle, best security practices in software development. This book covers all the basic subjects such as threat modeling and security testing, but also dives deep into more complex and advanced topics for securing modern software systems and architectures. Throughout, the book offers analogies, stories of the characters Alice and Bob, real-life examples, technical explanations and diagrams to ensure maximum clarity of the many abstract and complicated subjects.</p> <p>Topics include:</p> <ul> <li>Secure requirements, design, coding, and deployment</li> <li>Security Testing (all forms)</li> <li>Common Pitfalls</li> <li>Application Security Programs</li> <li>Securing Modern Applications</li> <li>Software Developer Security Hygiene</li> </ul> <p><i>Alice and Bob Learn Application Security</i> is perfect for aspiring application security engineers and practicing software developers, as well as software project managers, penetration testers, and chief information security officers who seek to build or improve their application security programs.</p> <p><i>Alice and Bob Learn Application Security</i> illustrates all the included concepts with easy-to-understand examples and concrete practical applications, furthering the reader's ability to grasp and retain the foundational and advanced topics contained within.</p>
<p>Foreword xxi</p> <p>Introduction xxiii</p> <p><b>Part I What You Must Know to Write Code Safe Enough to Put on the Internet 1</b></p> <p><b>Chapter 1 Security Fundamentals 3</b></p> <p>The Security Mandate: CIA 3</p> <p>Confidentiality 4</p> <p>Integrity 5</p> <p>Availability 5</p> <p>Assume Breach 7</p> <p>Insider Threats 8</p> <p>Defense in Depth 9</p> <p>Least Privilege 11</p> <p>Supply Chain Security 11</p> <p>Security by Obscurity 13</p> <p>Attack Surface Reduction 14</p> <p>Hard Coding 15</p> <p>Never Trust, Always Verify 15</p> <p>Usable Security 17</p> <p>Factors of Authentication 18</p> <p>Exercises 20</p> <p><b>Chapter 2 Security Requirements 21</b></p> <p>Requirements 22</p> <p>Encryption 23</p> <p>Never Trust System Input 24</p> <p>Encoding and Escaping 28</p> <p>Third-Party Components 29</p> <p>Security Headers: Seatbelts for Web Apps 31</p> <p>Security Headers in Action 32</p> <p>X-XSS-Protection 32</p> <p>Content-Security-Policy (CSP) 32</p> <p>X-Frame-Options 35</p> <p>X-Content-Type-Options 36</p> <p>Referrer-Policy 36</p> <p>Strict-Transport-Security (HSTS) 37</p> <p>Feature-Policy 38</p> <p>X-Permitted-Cross-Domain-Policies 39</p> <p>Expect-CT 39</p> <p>Public Key Pinning Extension for HTTP (HPKP) 41</p> <p>Securing Your Cookies 42</p> <p>The Secure Flag 42</p> <p>The HttpOnly Flag 42</p> <p>Persistence 43</p> <p>Domain 43</p> <p>Path 44</p> <p>Same-Site 44</p> <p>Cookie Prefixes 45</p> <p>Data Privacy 45</p> <p>Data Classification 45</p> <p>Passwords, Storage, and Other Important Decisions 46</p> <p>HTTPS Everywhere 52</p> <p>TLS Settings 53</p> <p>Comments 54</p> <p>Backup and Rollback 54</p> <p>Framework Security Features 54</p> <p>Technical Debt = Security Debt 55</p> <p>File Uploads 56</p> <p>Errors and Logging 57</p> <p>Input Validation and Sanitization 58</p> <p>Authorization and Authentication 59</p> <p>Parameterized Queries 59</p> <p>URL Parameters 60</p> <p>Least Privilege 60</p> <p>Requirements Checklist 61</p> <p>Exercises 63</p> <p><b>Chapter 3 Secure Design 65</b></p> <p>Design Flaw vs. Security Bug 66</p> <p>Discovering a Flaw Late 67</p> <p>Pushing Left 68</p> <p>Secure Design Concepts 68</p> <p>Protecting Sensitive Data 68</p> <p>Never Trust, Always Verify/Zero Trust/Assume Breach 70</p> <p>Backup and Rollback 71</p> <p>Server-Side Security Validation 73</p> <p>Framework Security Features 74</p> <p>Security Function Isolation 74</p> <p>Application Partitioning 75</p> <p>Secret Management 76</p> <p>Re-authentication for Transactions (Avoiding CSRF) 76</p> <p>Segregation of Production Data 77</p> <p>Protection of Source Code 77</p> <p>Threat Modeling 78</p> <p>Exercises 82</p> <p><b>Chapter 4 Secure Code 83</b></p> <p>Selecting Your Framework and Programming Language 83</p> <p>Example #1 85</p> <p>Example #2 85</p> <p>Example #3 86</p> <p>Programming Languages and Frameworks: The Rule 87</p> <p>Untrusted Data 87</p> <p>HTTP Verbs 89</p> <p>Identity 90</p> <p>Session Management 91</p> <p>Bounds Checking 93</p> <p>Authentication (AuthN) 94</p> <p>Authorization (AuthZ) 96</p> <p>Error Handling, Logging, and Monitoring 99</p> <p>Rules for Errors 100</p> <p>Logging 100</p> <p>Monitoring 101</p> <p>Exercises 103</p> <p><b>Chapter 5 Common Pitfalls 105</b></p> <p>OWASP 105</p> <p>Defenses and Vulnerabilities Not Previously Covered 109</p> <p>Cross-Site Request Forgery 110</p> <p>Server-Side Request Forgery 112</p> <p>Deserialization 114</p> <p>Race Conditions 115</p> <p>Closing Comments 117</p> <p>Exercises 117</p> <p><b>Part II What You Should Do to Create Very Good Code 119</b></p> <p><b>Chapter 6 Testing and Deployment 121</b></p> <p>Testing Your Code 121</p> <p>Code Review 122</p> <p>Static Application Security Testing (SAST) 123</p> <p>Software Composition Analysis (SCA) 125</p> <p>Unit Tests 126</p> <p>Infrastructure as Code (IaC) and Security as Code (SaC) 128</p> <p>Testing Your Application 129</p> <p>Manual Testing 130</p> <p>Browsers 131</p> <p>Developer Tools 131</p> <p>Web Proxies 132</p> <p>Fuzzing 133</p> <p>Dynamic Application Security Testing (DAST) 133</p> <p>VA/Security Assessment/PenTest 135</p> <p>Testing Your Infrastructure 141</p> <p>Testing Your Database 141</p> <p>Testing Your APIs and Web Services 142</p> <p>Testing Your Integrations 143</p> <p>Testing Your Network 144</p> <p>Deployment 145</p> <p>Editing Code Live on a Server 146</p> <p>Publishing from an IDE 146</p> <p>“Homemade” Deployment Systems 147</p> <p>Run Books 148</p> <p>Contiguous Integration/Continuous Delivery/Continuous Deployment 148</p> <p>Exercises 149</p> <p><b>Chapter 7 An AppSec Program 151</b></p> <p>Application Security Program Goals 152</p> <p>Creating and Maintaining an Application Inventory 153</p> <p>Capability to Find Vulnerabilities in Written, Running, and Third-Party Code 153</p> <p>Knowledge and Resources to Fix the Vulnerabilities 154</p> <p>Education and Reference Materials 155</p> <p>Providing Developers with Security Tools 155</p> <p>Having One or More Security Activities During Each Phase of Your SDLC 156</p> <p>Implementing Useful and Effective Tooling 157</p> <p>An Incident Response Team That Knows When to Call You 157</p> <p>Continuously Improve Your Program Based on Metrics, Experimentation, and Feedback 159</p> <p>Metrics 159</p> <p>Experimentation 161</p> <p>Feedback from Any and All Stakeholders 161</p> <p>A Special Note on DevOps and Agile 162</p> <p>Application Security Activities 162</p> <p>Application Security Tools 164</p> <p><i>Your </i>Application Security Program 165</p> <p>Exercises 166</p> <p><b>Chapter 8 Securing Modern Applications and Systems 167</b></p> <p>APIs and Microservices 168</p> <p>Online Storage 171</p> <p>Containers and Orchestration 172</p> <p>Serverless 174</p> <p>Infrastructure as Code (IaC) 175</p> <p>Security as Code (SaC) 177</p> <p>Platform as a Service (PaaS) 178</p> <p>Infrastructure as a Service (IaaS) 179</p> <p>Continuous Integration/Delivery/Deployment 180</p> <p>Dev(Sec)Ops 180</p> <p>DevSecOps 182</p> <p>The Cloud 183</p> <p>Cloud Computing 183</p> <p>Cloud Native 184</p> <p>Cloud Native Security 185</p> <p>Cloud Workflows 185</p> <p>Modern Tooling 186</p> <p>IAST Interactive Application Security Testing 186</p> <p>Runtime Application Security Protection 187</p> <p>File Integrity Monitoring 187</p> <p>Application Control Tools (Approved Software Lists) 187</p> <p>Security Tools Created for DevOps Pipelines 188</p> <p>Application Inventory Tools 188</p> <p>Least Privilege and Other Policy Automation 189</p> <p>Modern Tactics 189</p> <p>Summary 191</p> <p>Exercises 191</p> <p><b>Part III Helpful Information on How to Continue to Create Very Good Code 193</b></p> <p><b>Chapter 9 Good Habits 195</b></p> <p>Password Management 196</p> <p>Remove Password Complexity Rules 196</p> <p>Use a Password Manager 197</p> <p>Passphrases 198</p> <p>Don’t Reuse Passwords 198</p> <p>Do Not Implement Password Rotation 199</p> <p>Multi-Factor Authentication 199</p> <p>Incident Response 200</p> <p>Fire Drills 201</p> <p>Continuous Scanning 202</p> <p>Technical Debt 202</p> <p>Inventory 203</p> <p>Other Good Habits 204</p> <p>Policies 204</p> <p>Downloads and Devices 204</p> <p>Lock Your Machine 204</p> <p>Privacy 205</p> <p>Summary 206</p> <p>Exercises 206</p> <p><b>Chapter 10 Continuous Learning 207</b></p> <p>What to Learn 208</p> <p>Offensive = Defensive 208</p> <p>Don’t Forget Soft Skills 208</p> <p>Leadership != Management 209</p> <p>Learning Options 209</p> <p>Accountability 212</p> <p>Create Your Plan 213</p> <p>Take Action 214</p> <p>Exercises 214</p> <p>Learning Plan 216</p> <p><b>Chapter 11 Closing Thoughts 217</b></p> <p>Lingering Questions 218</p> <p>When Have You Done <i>Enough</i>? 218</p> <p>How Do You Get Management on Board? 220</p> <p>How Do You Get Developers on Board? 221</p> <p>Where Do You Start? 222</p> <p>Where Do You Get Help? 223</p> <p>Conclusion 223</p> <p><b>Appendix A Resources 225</b></p> <p>Introduction 225</p> <p>Chapter 1: Security Fundamentals 225</p> <p>Chapter 2: Security Requirements 226</p> <p>Chapter 3: Secure Design 227</p> <p>Chapter 4: Secure Code 228</p> <p>Chapter 5: Common Pitfalls 228</p> <p>Chapter 6: Testing and Deployment 229</p> <p>Chapter 7: An AppSec Program 229</p> <p>Chapter 8: Securing Modern Applications and Systems 230</p> <p>Chapter 9: Good Habits 231</p> <p>Chapter 10: Continuous Learning 231</p> <p><b>Appendix B Answer Key 233</b></p> <p>Chapter 1: Security Fundamentals 233</p> <p>Chapter 2: Security Requirements 235</p> <p>Chapter 3: Secure Design 236</p> <p>Chapter 4: Secure Code 238</p> <p>Chapter 5: Common Pitfalls 241</p> <p>Chapter 6: Testing and Deployment 242</p> <p>Chapter 7: An AppSec Program 244</p> <p>Chapter 8: Securing Modern Applications and Systems 245</p> <p>Chapter 9: Good Habits 247</p> <p>Chapter 10: Continuous Learning 248</p> <p>Index 249</p>
<p><b>Tanya Janca,</b> also known as SheHacksPurple, is the founder of We Hack Purple, an online learning academy dedicated to teaching everyone how to create secure software. With over twenty years of IT and coding experience, she has won numerous awards and worked as a developer, pentester, and AppSec Engineer. She was named Hacker of the Year by the Cybersecurity Woman of the Year 2019 Awards and is the Founder of WoSEC International, #CyberMentoringMonday, and OWASP DevSlop.</p>
<p><b>A TRIED-AND-TESTED APPROACH TO BUILDING SECURITY INTO PROJECTS FROM THE START</b> <p>Do you have difficulty implementing application security into your software development process? <i>Alice and Bob Learn Application Security</i> shows readers how to "push left" in software, by building security considerations into their system development life cycle, right from the start. <p>You'll learn basic security fundamentals and requirements, as well as secure design concepts, all while benefiting from the code, exercises, and examples interspersed throughout the text. <p>Written by one of the leading voices in the application security field, the book includes answers to the most common questions people starting out in application security often have. It also includes valuable additional resources where readers can find more answers. <p>The core security concepts are illustrated through references to the personas of Alice and Bob and how their professional lives and businesses drive application security decisions. The book takes a pleasantly straightforward approach that's heavy on practical strategies and light on needless jargon or complexity. At the same time, it supplies the rigor or richness you would expect to find in a leading resource on the topic of application security. <p>The book is perfect for current and aspiring software and application developers. It also belongs on the bookshelves of software project managers, Chief Information Security Officers, and penetration testers who seek to improve their craft and their ability to deliver valuable results. <p><i>Alice and Bob Learn Application Security</i> will teach you everything you need to know about: <ul> <li><b>Security fundamentals and requirements</b></li> <li><b>Secure design concepts</b></li> <li><b>Secure coding (with guidelines)</b></li> <li><b>The basics of threat modelling and security testing</b></li> <li><b>How to build an AppSec program</b></li> <li><b>Modern application security concerns and defenses</b></li> <li><b>How to implement security hygiene protocols for developers and IT staff</b></li> </ul>
<p>“Tanya knows her stuff. She has a huge depth of experience and expertise in application security, DevSecOps, and cloud security. We can all learn a ton of stuff from Tanya, so you should read her book!”</p> <p>-<b>Dafydd Stuttard</b>, best-selling co-author of <i>The Web Application Hacker's Handbook</i>, creator of Burp Suite</p> <p> </p> <p>“I learned so much from this book!  Information security is truly everyone's job — this book is a fantastic overview of the vast knowledge needed by everyone, from developer, infrastructure, security professionals, and so much more.  Kudos to Ms. Janca for writing such an educational and practical primer.  I loved the realistic stories that frame real-world problems, spanning everything from design, migrating applications from problematic frameworks, mitigating admin risks, and things that every modern developer needs to know.”</p> <p>-<i>Gene Kim</i>, bestselling author of <i>The Unicorn Project</i>, co-author of <i>The Phoenix Project</i>, <i>DevOps Handbook</i>, <i>Accelerate</i></p> <p> </p> <p>“Practical guidance for the modern era; Tanya does a great job of communicating current day thinking around AppSec in terms we can all relate to.”</p> <p>-Troy Hunt, creator of  "Have I Been Pwned"</p>

Diese Produkte könnten Sie auch interessieren:

MDX Solutions
MDX Solutions
von: George Spofford, Sivakumar Harinath, Christopher Webb, Dylan Hai Huang, Francesco Civardi
PDF ebook
53,99 €
Concept Data Analysis
Concept Data Analysis
von: Claudio Carpineto, Giovanni Romano
PDF ebook
107,99 €
Handbook of Virtual Humans
Handbook of Virtual Humans
von: Nadia Magnenat-Thalmann, Daniel Thalmann
PDF ebook
150,99 €