Cover image for Alice and Bob Learn Application Security

Alice and Bob Learn Application Security

Release Date: 2020/11/01
ISBN: 9781119687351
Topic:
0%
29
Chapters
0-1
Hours read
0k
Total Words
    Start Reading Now    
       Add to Wishlist       
View table of contents

Learn application security from the very start, with this comprehensive and approachable guide! 

Alice and Bob Learn Application Security is an accessible and thorough resource for anyone seeking to incorporate, from the beginning of the System Development Life Cycle, best security practices in software development. This book covers all the basic subjects such as threat modeling and security testing, but also dives deep into more complex and advanced topics for securing modern software systems and architectures. Throughout, the book offers analogies, stories of the characters Alice and Bob, real-life examples, technical explanations and diagrams to ensure maximum clarity of the many abstract and complicated subjects. 

Topics include:

  • Secure requirements, design, coding, and deployment
  • Security Testing (all forms)
  • Common Pitfalls
  • Application Security Programs
  • Securing Modern Applications
  • Software Developer Security Hygiene  

Alice and Bob Learn Application Security is perfect for aspiring application security engineers and practicing software developers, as well as software project managers, penetration testers, and chief information security officers who seek to build or improve their application security programs. 

Alice and Bob Learn Application Security illustrates all the included concepts with easy-to-understand examples and concrete practical applications, furthering the reader’s ability to grasp and retain the foundational and advanced topics contained within. 

Table of Contents

  1. Cover
  2. Foreword
  3. Introduction
    1. Pushing Left
    2. About This Book
    3. Out-of-Scope Topics
    4. The Answer Key
  4. Part I: What You Must Know to Write Code Safe Enough to Put on the Internet
    1. CHAPTER 1: Security Fundamentals
    2. The Security Mandate: CIA
    3. Assume Breach
    4. Insider Threats
    5. Defense in Depth
    6. Least Privilege
    7. Supply Chain Security
    8. Security by Obscurity
    9. Attack Surface Reduction
    10. Hard Coding
    11. Never Trust, Always Verify
    12. Usable Security
    13. Factors of Authentication
    14. Exercises
    15. CHAPTER 2: Security Requirements
    16. Requirements
    17. Requirements Checklist
    18. Exercises
    19. CHAPTER 3: Secure Design
    20. Design Flaw vs. Security Bug
    21. Secure Design Concepts
    22. Segregation of Production Data
    23. Threat Modeling
    24. Exercises
    25. CHAPTER 4: Secure Code
    26. Selecting Your Framework and Programming Language
    27. Untrusted Data
    28. HTTP Verbs
    29. Identity
    30. Session Management
    31. Bounds Checking
    32. Authentication (AuthN)
    33. Authorization (AuthZ)
    34. Error Handling, Logging, and Monitoring
    35. Exercises
    36. CHAPTER 5: Common Pitfalls
    37. OWASP
    38. Defenses and Vulnerabilities Not Previously Covered
    39. Race Conditions
    40. Closing Comments
    41. Exercises
  5. Part II: What You Should Do to Create Very Good Code
    1. CHAPTER 6: Testing and Deployment
    2. Testing Your Code
    3. Testing Your Application
    4. Testing Your Infrastructure
    5. Testing Your Database
    6. Testing Your APIs and Web Services
    7. Testing Your Integrations
    8. Testing Your Network
    9. Deployment
    10. Exercises
    11. CHAPTER 7: An AppSec Program
    12. Application Security Program Goals
    13. Application Security Activities
    14. Application Security Tools
    15. CHAPTER 8: Securing Modern Applications and Systems
    16. APIs and Microservices
    17. Online Storage
    18. Containers and Orchestration
    19. Serverless
    20. Infrastructure as Code (IaC)
    21. Security as Code (SaC)
    22. Platform as a Service (PaaS)
    23. Infrastructure as a Service (IaaS)
    24. Continuous Integration/Delivery/Deployment
    25. Dev(Sec)Ops
    26. The Cloud
    27. Cloud Workflows
    28. Modern Tooling
    29. Modern Tactics
    30. Summary
    31. Exercises
  6. Part III: Helpful Information on How to Continue to Create Very Good Code
    1. CHAPTER 9: Good Habits
    2. Password Management
    3. Multi-Factor Authentication
    4. Incident Response
    5. Fire Drills
    6. Continuous Scanning
    7. Technical Debt
    8. Inventory
    9. Other Good Habits
    10. Summary
    11. Exercises
    12. CHAPTER 10: Continuous Learning
    13. What to Learn
    14. Take Action
    15. Exercises
    16. Learning Plan
    17. CHAPTER 11: Closing Thoughts
    18. Lingering Questions
    19. Conclusion
  7. APPENDIX A: Resources
    1. Introduction
    2. Chapter 1: Security Fundamentals
    3. Chapter 2: Security Requirements
    4. Chapter 3: Secure Design
    5. Chapter 4: Secure Code
    6. Chapter 5: Common Pitfalls
    7. Chapter 6: Testing and Deployment
    8. Chapter 7: An AppSec Program
    9. Chapter 8: Securing Modern Applications and Systems
    10. Chapter 9: Good Habits
    11. Chapter 10: Continuous Learning
  8. APPENDIX B: Answer Key
    1. Chapter 1: Security Fundamentals
    2. Chapter 2: Security Requirements
    3. Chapter 3: Secure Design
    4. Chapter 4: Secure Code
    5. Chapter 5: Common Pitfalls
    6. Chapter 6: Testing and Deployment
    7. Chapter 7: An AppSec Program
    8. Chapter 8: Securing Modern Applications and Systems
    9. Chapter 9: Good Habits
    10. Chapter 10: Continuous Learning
  9. Index
  10. End User License Agreement
18.219.22.169