Оглавление
Tanya Janca. Alice and Bob Learn Application Security
Table of Contents
List of Illustrations
Guide
Pages
Alice & Bob Learn Application Security
Introduction
Pushing Left
About This Book
Out-of-Scope Topics
The Answer Key
Part I What You Must Know to Write Code Safe Enough to Put on the Internet. In This Part
CHAPTER 1 Security Fundamentals
The Security Mandate: CIA
Confidentiality
Integrity
Availability
Assume Breach
Insider Threats
Defense in Depth
Least Privilege
Supply Chain Security
SUPPLY CHAIN ATTACK EXAMPLE
Security by Obscurity
Attack Surface Reduction
Hard Coding
Never Trust, Always Verify
Usable Security
Factors of Authentication
Exercises
CHAPTER 2 Security Requirements
Requirements
Encryption
Never Trust System Input
Encoding and Escaping
Third-Party Components
KNOWN VULNERABLE
PRIVACY WARNING
Security Headers: Seatbelts for Web Apps
Security Headers in Action
X-XSS-Protection
Content-Security-Policy (CSP)
X-Frame-Options
X-Content-Type-Options
Referrer-Policy
Strict-Transport-Security (HSTS)
DEFINITIONS
Feature-Policy
X-Permitted-Cross-Domain-Policies
Expect-CT
Public Key Pinning Extension for HTTP (HPKP)
Securing Your Cookies
The Secure Flag
The HttpOnly Flag
Persistence
Domain
Path
Same-Site
Cookie Prefixes
Data Privacy
Data Classification
Passwords, Storage, and Other Important Decisions
HTTPS Everywhere
TLS Settings
TLS TIPS
Comments
Backup and Rollback
Framework Security Features
Technical Debt = Security Debt
File Uploads
Errors and Logging
Input Validation and Sanitization
Authorization and Authentication
Parameterized Queries
URL Parameters
Least Privilege
Requirements Checklist
Exercises
CHAPTER 3 Secure Design
Design Flaw vs. Security Bug
Discovering a Flaw Late
Pushing Left
Secure Design Concepts
Protecting Sensitive Data
Never Trust, Always Verify/Zero Trust/Assume Breach
Backup and Rollback
Server-Side Security Validation
Framework Security Features
Security Function Isolation
Application Partitioning
Secret Management
Re-authentication for Transactions (Avoiding CSRF)
Segregation of Production Data
Protection of Source Code
Threat Modeling
AUTHOR STORY
Exercises
CHAPTER 4 Secure Code
Selecting Your Framework and Programming Language
Example #1
Example #2
Example #3
Programming Languages and Frameworks: The Rule
Untrusted Data
HTTP Verbs
Identity
Session Management
Bounds Checking
Authentication (AuthN)
Authorization (AuthZ)
Error Handling, Logging, and Monitoring
BACKUPS AND ROLLBACKS
Rules for Errors
Logging
Monitoring
Exercises
CHAPTER 5 Common Pitfalls
OWASP
Defenses and Vulnerabilities Not Previously Covered
Cross-Site Request Forgery
INDUSTRY SUCCESS
Server-Side Request Forgery
Defenses
Mitigation
Deserialization
Race Conditions
Closing Comments
Exercises
Part II What You Should Do to Create Very Good Code. In This Part
CHAPTER 6 Testing and Deployment
Testing Your Code
Code Review
Static Application Security Testing (SAST)
Software Composition Analysis (SCA)
Unit Tests
Infrastructure as Code (IaC) and Security as Code (SaC)
Testing Your Application
Manual Testing
Browsers
Developer Tools
Web Proxies
Fuzzing
Dynamic Application Security Testing (DAST)
Infrastructure
Custom Applications
VA/Security Assessment/PenTest
HIRING A HACKER
Security Hygiene
DANGEROUS TESTING
Stress and Performance Testing
Integration Testing
TRUNK-BASED DEVELOPMENT
Interactive Application Security Testing
Regression Testing
Testing Your Infrastructure
Testing Your Database
Testing Your APIs and Web Services
Testing Your Integrations
Testing Your Network
Deployment
BIAS ALERT
Editing Code Live on a Server
Publishing from an IDE
“Homemade” Deployment Systems
Run Books
Contiguous Integration/Continuous Delivery/Continuous Deployment
Exercises
CHAPTER 7 An AppSec Program
Application Security Program Goals
Creating and Maintaining an Application Inventory
Capability to Find Vulnerabilities in Written, Running, and Third-Party Code
Knowledge and Resources to Fix the Vulnerabilities
Education and Reference Materials
Providing Developers with Security Tools
Having One or More Security Activities During Each Phase of Your SDLC
Implementing Useful and Effective Tooling
An Incident Response Team That Knows When to Call You
KNOWING IS BETTER THAN NOT KNOWING
Continuously Improve Your Program Based on Metrics, Experimentation, and Feedback
Metrics
PUTTING YOUR EFFORTS IN THE RIGHT PLACE
Experimentation
Feedback from Any and All Stakeholders
A Special Note on DevOps and Agile
Application Security Activities
Application Security Tools
Your Application Security Program
Exercises
CHAPTER 8 Securing Modern Applications and Systems
APIs and Microservices
Online Storage
Containers and Orchestration
Serverless
Infrastructure as Code (IaC)
GRANT PERMISSIONS CAREFULLY
Security as Code (SaC)
Platform as a Service (PaaS)
Infrastructure as a Service (IaaS)
Continuous Integration/Delivery/Deployment
Dev(Sec)Ops
DevSecOps
The Cloud
Cloud Computing
Cloud Native
Cloud Native Security
Cloud Workflows
Modern Tooling
IAST Interactive Application Security Testing
Runtime Application Security Protection
File Integrity Monitoring
Application Control Tools (Approved Software Lists)
Security Tools Created for DevOps Pipelines
Application Inventory Tools
Least Privilege and Other Policy Automation
Modern Tactics
Summary
Exercises
Part III Helpful Information on How to Continue to Create Very Good Code. In This Part
CHAPTER 9 Good Habits
Password Management
Remove Password Complexity Rules
PASSWORD REUSE
Use a Password Manager
Passphrases
Don't Reuse Passwords
Do Not Implement Password Rotation
PASSWORD ROTATION
Multi-Factor Authentication
Incident Response
Fire Drills
DISASTER RECOVERY (DR) AND BUSINESS CONTINUITY PLANNING (BCP)
Continuous Scanning
Technical Debt
Inventory
INVENTORY
Other Good Habits
Policies
Downloads and Devices
UNKNOWN CODE
Lock Your Machine
MORE THAN JUST PRACTICAL JOKES
Privacy
Summary
Exercises
CHAPTER 10 Continuous Learning
What to Learn
Offensive = Defensive
Don't Forget Soft Skills
THE VALUE OF SOFT SKILLS
Leadership != Management
Learning Options
LUNCH AND LEARNS
TEACHING OTHERS ON YOUR TEAM
Accountability
ACCOUNTABILITY
Create Your Plan
WE ALL NEED DIRECTION
Take Action
Exercises
Learning Plan
CHAPTER 11 Closing Thoughts
Lingering Questions
When Have You Done Enough ?
RISK ADVERSE
A SPECIAL NOTE FOR CONSULTANTS
How Do You Get Management on Board?
How Do You Get Developers on Board?
Where Do You Start?
Where Do You Get Help?
Conclusion
APPENDIX A Resources. Introduction
Chapter 1: Security Fundamentals
Chapter 2: Security Requirements
Chapter 3: Secure Design
Chapter 4: Secure Code
Chapter 5: Common Pitfalls
Chapter 6: Testing and Deployment
Chapter 7: An AppSec Program
Chapter 8: Securing Modern Applications and Systems
Chapter 9: Good Habits
Chapter 10: Continuous Learning
APPENDIX B Answer Key
Chapter 1: Security Fundamentals
Chapter 2: Security Requirements
Chapter 3: Secure Design
Chapter 4: Secure Code
Chapter 5: Common Pitfalls
Chapter 6: Testing and Deployment
Chapter 7: An AppSec Program
Chapter 8: Securing Modern Applications and Systems
Chapter 9: Good Habits
Chapter 10: Continuous Learning
Index
About the Author
About the Technical Editors
Acknowledgments
WILEY END USER LICENSE AGREEMENT
