Alice and Bob Learn Application Security

Learn application security from the very start, with this comprehensive and approachable guide!

Alice and Bob Learn Application Security is an accessible and thorough resource for anyone seeking to incorporate, from the beginning of the System Development Life Cycle, best security practices in software development. This book covers all the basic subjects such as threat modeling and security testing, but also dives deep into more complex and advanced topics for securing modern software systems and architectures. Throughout, the book offers analogies, stories of the characters Alice and Bob, real-life examples, technical explanations and diagrams to ensure maximum clarity of the many abstract and complicated subjects.

Topics include:

• Secure requirements, design, coding, and deployment

• Security Testing (all forms)

• Common Pitfalls

• Application Security Programs

• Securing Modern Applications

• Software Developer Security Hygiene

Alice and Bob Learn Application Security is perfect for aspiring application security engineers and practicing software developers, as well as software project managers, penetration testers, and chief information security officers who seek to build or improve their application security programs.

Alice and Bob Learn Application Security illustrates all the included concepts with easy-to-understand examples and concrete practical applications, furthering the reader's ability to grasp and retain the foundational and advanced topics contained within.

Auteur

Tanya Janca, also known as SheHacksPurple, is the founder of We Hack Purple, an online learning academy dedicated to teaching everyone how to create secure software. With over twenty years of IT and coding experience, she has won numerous awards and worked as a developer, pentester, and AppSec Engineer. She was named Hacker of the Year by the Cybersecurity Woman of the Year 2019 Awards and is the Founder of WoSEC International, #CyberMentoringMonday, and OWASP DevSlop.

Texte du rabat

A TRIED-AND-TESTED APPROACH TO BUILDING SECURITY INTO PROJECTS FROM THE START Do you have difficulty implementing application security into your software development process? Alice and Bob Learn Application Security shows readers how to "push left" in software, by building security considerations into their system development life cycle, right from the start. You'll learn basic security fundamentals and requirements, as well as secure design concepts, all while benefiting from the code, exercises, and examples interspersed throughout the text. Written by one of the leading voices in the application security field, the book includes answers to the most common questions people starting out in application security often have. It also includes valuable additional resources where readers can find more answers. The core security concepts are illustrated through references to the personas of Alice and Bob and how their professional lives and businesses drive application security decisions. The book takes a pleasantly straightforward approach that's heavy on practical strategies and light on needless jargon or complexity. At the same time, it supplies the rigor or richness you would expect to find in a leading resource on the topic of application security. The book is perfect for current and aspiring software and application developers. It also belongs on the bookshelves of software project managers, Chief Information Security Officers, and penetration testers who seek to improve their craft and their ability to deliver valuable results. Alice and Bob Learn Application Security will teach you everything you need to know about:

• Security fundamentals and requirements
• Secure design concepts
• Secure coding (with guidelines)
• The basics of threat modelling and security testing
• How to build an AppSec program
• Modern application security concerns and defenses
• How to implement security hygiene protocols for developers and IT staff

Résumé
Learn application security from the very start, with this comprehensive and approachable guide!

Alice and Bob Learn Application Security is an accessible and thorough resource for anyone seeking to incorporate, from the beginning of the System Development Life Cycle, best security practices in software development. This book covers all the basic subjects such as threat modeling and security testing, but also dives deep into more complex and advanced topics for securing modern software systems and architectures. Throughout, the book offers analogies, stories of the characters Alice and Bob, real-life examples, technical explanations and diagrams to ensure maximum clarity of the many abstract and complicated subjects.

Topics include:

• Secure requirements, design, coding, and deployment
• Security Testing (all forms)
• Common Pitfalls
• Application Security Programs
• Securing Modern Applications
• Software Developer Security Hygiene
  Alice and Bob Learn Application Security is perfect for aspiring application security engineers and practicing software developers, as well as software project managers, penetration testers, and chief information security officers who seek to build or improve their application security programs.

Alice and Bob Learn Application Security illustrates all the included concepts with easy-to-understand examples and concrete practical applications, furthering the reader's ability to grasp and retain the foundational and advanced topics contained within.

Contenu

Foreword xxi

Introduction xxiii

Part I What You Must Know to Write Code Safe Enough to Put on the Internet 1

Chapter 1 Security Fundamentals 3

The Security Mandate: CIA 3

Confidentiality 4

Integrity 5

Availability 5

Assume Breach 7

Insider Threats 8

Defense in Depth 9

Least Privilege 11

Supply Chain Security 11

Security by Obscurity 13

Attack Surface Reduction 14

Hard Coding 15

Never Trust, Always Verify 15

Usable Security 17

Factors of Authentication 18

Exercises 20

Chapter 2 Security Requirements 21

Requirements 22

Encryption 23

Never Trust System Input 24

Encoding and Escaping 28

Third-Party Components 29

Security Headers: Seatbelts for Web Apps 31

Security Headers in Action 32

X-XSS-Protection 32

Content-Security-Policy (CSP) 32

X-Frame-Options 35

X-Content-Type-Options 36

Referrer-Policy 36

Strict-Transport-Security (HSTS) 37

Feature-Policy 38

X-Permitted-Cross-Domain-Policies 39

Expect-CT 39

Public Key Pinning Extension for HTTP (HPKP) 41

Securing Your Cookies 42

The Secure Flag 42

The HttpOnly Flag 42

Persistence 43

Domain 43

Path 44

Same-Site 44

Cookie Prefixes 45

Data Privacy 45

Data Classification 45

Passwords, Storage, and Other Important Decisions 46

HTTPS Everywhere 52

TLS Settings 53

Comments 54

Backup and Rollback 54

Framework Security Features 54

Technical Debt = Security Debt 55

File Uploads 56

Errors and Logging 57

Input Validation and Sanitization 58

Authorization and Authentication 59

Parameterized Queries 59

URL Parameters 60

Least Privilege 60

Requirements Checklist 61

Exercises 63

Chapter 3 Secure Design 65

Design Flaw vs. Security Bug 66

Discovering a Flaw Late 67

Pushing Left 68

Secure Design Concepts 68

Protecting Sensitive Data 68

Never Trust, Always Verify/Zero Trust/Assume Breach 70

Backup and Rollback 71

Server-Side Security Validation 73

Framework Security Features 74

Security Function Isolation 74

Application Partitioning 75

Secret Management 76

Re-authentication for Transactions (Avoiding CSRF) 76

Segregation of Production Data 77

Protection of Source Code 77

Threat Modeling 78 …