Читать книгу Alice and Bob Learn Application Security - Tanya Janca - Страница 2

1  Cover

2  Introduction Pushing Left About This Book Out-of-Scope Topics The Answer Key

3  Part I: What You Must Know to Write Code Safe Enough to Put on the Internet CHAPTER 1: Security Fundamentals The Security Mandate: CIA Assume Breach Insider Threats Defense in Depth Least Privilege Supply Chain Security Security by Obscurity Attack Surface Reduction Hard Coding Never Trust, Always Verify Usable Security Factors of Authentication Exercises CHAPTER 2: Security Requirements Requirements Requirements Checklist Exercises CHAPTER 3: Secure Design Design Flaw vs. Security Bug Secure Design Concepts Segregation of Production Data Threat Modeling Exercises CHAPTER 4: Secure Code Selecting Your Framework and Programming Language Untrusted Data HTTP Verbs Identity Session Management Bounds Checking Authentication (AuthN) Authorization (AuthZ) Error Handling, Logging, and Monitoring Exercises CHAPTER 5: Common Pitfalls OWASP Defenses and Vulnerabilities Not Previously Covered Race Conditions Closing Comments Exercises

4  Part II: What You Should Do to Create Very Good Code CHAPTER 6: Testing and Deployment Testing Your Code Testing Your Application Testing Your Infrastructure Testing Your Database Testing Your APIs and Web Services Testing Your Integrations Testing Your Network Deployment Exercises CHAPTER 7: An AppSec Program Application Security Program Goals Application Security Activities Application Security Tools CHAPTER 8: Securing Modern Applications and Systems APIs and Microservices Online Storage Containers and Orchestration Serverless Infrastructure as Code (IaC) Security as Code (SaC) Platform as a Service (PaaS) Infrastructure as a Service (IaaS) Continuous Integration/Delivery/Deployment Dev(Sec)Ops The Cloud Cloud Workflows Modern Tooling Modern Tactics Summary Exercises

5  Part III: Helpful Information on How to Continue to Create Very Good Code CHAPTER 9: Good Habits Password Management Multi-Factor Authentication Incident Response Fire Drills Continuous Scanning Technical Debt Inventory Other Good Habits Summary Exercises CHAPTER 10: Continuous Learning What to Learn Take Action Exercises Learning Plan CHAPTER 11: Closing Thoughts Lingering Questions Conclusion

6  APPENDIX A: Resources Introduction Chapter 1: Security Fundamentals Chapter 2: Security Requirements Chapter 3: Secure Design Chapter 4: Secure Code Chapter 5: Common Pitfalls Chapter 6: Testing and Deployment Chapter 7: An AppSec Program Chapter 8: Securing Modern Applications and Systems Chapter 9: Good Habits Chapter 10: Continuous Learning

7  APPENDIX B: Answer Key Chapter 1: Security Fundamentals Chapter 2: Security Requirements Chapter 3: Secure Design Chapter 4: Secure Code Chapter 5: Common Pitfalls Chapter 6: Testing and Deployment Chapter 7: An AppSec Program Chapter 8: Securing Modern Applications and Systems Chapter 9: Good Habits Chapter 10: Continuous Learning

8  Index

9  End User License Agreement

1 IntroductionFigure I-1: System Development Life Cycle (SDLC)Figure I-2: Shifting/Pushing Left

2 Chapter 1Figure 1-1: The CIA Triad is the reason IT Security teams exist.Figure 1-2: Confidentiality: keeping things safeFigure 1-3: Integrity means accuracy.Figure 1-4: Resilience improves availability.Figure 1-5: Three layers of security for an application; an example of defens...Figure 1-6: A possible supply chain for Bob’s doll houseFigure 1-7: Example of an application calling APIs and when to authenticate

3 Chapter 2Figure 2-1: The System Development Life Cycle (SDLC)Figure 2-2: Data classifications Bob uses at workFigure 2-3: Forgotten password flowchartFigure 2-4: Illustration of a web proxy intercepting web traffic

4 Chapter 3Figure 3-1: The System Development Life Cycle (SDLC)Figure 3-2: Flaws versus bugsFigure 3-3: Approximate cost to fix security bugs and flaws during the SDLCFigure 3-4: Pushing leftFigure 3-5: Using a web proxy to circumvent JavaScript validationFigure 3-6: Example of very basic attack tree for a run-tracking mobile app

5 Chapter 4Figure 4-1: Input validation flowchart for untrusted dataFigure 4-2: Session management flow example

6 Chapter 5Figure 5-1: CRSF flowchartFigure 5-2: SSRF flowchart

7 Chapter 6Figure 6-1: Continuous Integration/Continuous Delivery (CI/CD)

8 Chapter 7Figure 7-1: Security activities added to the SDLC

9 Chapter 8Figure 8-1: Simplified microservice architectureFigure 8-2: Microservice architecture with API gatewayFigure 8-3: Infrastructure as Code workflowFigure 8-4: File integrity monitoring and application control tooling at work...

1  Cover

2 Table of Contents

3  Begin Reading

1  iii

2  xxi

3  xxii

4  xxiii

5  xxiv

6  1

7  3

8  4

9  5

10  6

11  7

12  8

13  9

14  10

15  11

16  12

17  13

18  14

19  15

20  16

21  17

22 18

23  19

24  20

25  21

26  22

27  23

28  24

29 25

30 26

31 27

32  28

33  29

34  30

35  31

36  32

37  33

38 34

39  35

40  36

41  37

42 38

43 39

44  40

45  41

46  42

47  43

48  44

49  45

50  46

51  47

52  48

53  49

54  50

55  51

56 52

57  53

58  54

59  55

60  56

61  57

62  58

63  59

64  60

65  61

66 62

67 63

68  65

69  66

70  67

71  68

72  69

73  70

74  71

75  72

76  73

77  74

78  75

79  76

80  77

81  78

82  79

83  80

84  81

85  82

86  83

87  84

88  85

89  86

90  87

91 88

92  89

93  90

94  91

95 92

96  93

97 94

98  95

99  96

100  97

101  98

102  99

103  100

104  101

105 102

106 103

107  104

108  105

109  106

110  107

111  108

112  109

113 110

114  111

115  112

116  113

117 114

118  115

119  116

120  117

121  119

122  121

123  122

124  123

125  124

126  125

127  126

128  127

129  128

130  129

131  130

132  131

133  132

134  133

135  134

136  135

137  136

138 137

139 138

140  139

141  140

142  141

143 142

144  143

145  144

146  145

147  146

148  147

149  148

150  149

151  150

152  151

153  152

154  153

155  154

156  155

157  156

158 157

159  158

160  159

161  160

162 161

163  162

164 163

165 164

166  165

167  166

168  167

169  168

170  169

171  170

172  171

173  172

174  173

175  174

176  175

177  176

178  177

179  178

180  179

181  180

182  181

183  182

184  183

185  184

186  185

187  186

188  187

189  188

190  189

191  190

192  191

193  193

194  195

195  196

196  197

197  198

198  199

199  200

200 201

201 202

202  203

203  204

204  205

205  206

206  207

207  208

208  209

209 210

210  211

211  212

212  213

213  214

214 215

215  216

216  217

217  218

218  219

219  220

220  221

221 222

222  223

223  225

224  226

225 227

226  228

227  229

228  230

229  231

230  233

231 234

232 235

233 236

234 237

235 238

236 239

237 240

238 241

239 242

240 243

241 244

242 245

243 246

244 247

245 248

246  249

247 250

248 251

249 252

250 253

251 254

252 255

253 256

254 257

255  iv

256  v

257  vii

258  ix

259  xi

260  258