A

admin processes, in twelve-factor app 253

admin tasks, in cloud environments 266–269

advanced constraints

catching 149–151

invariants 149

ORM frameworks and 155

upholding, builder pattern for 151–154

aggregate 73–77

ambiguous parameter lists, replacing 297–303

direct approach 299–300

discovery approach 299–302

new API approach 299, 302–303

antifragility 356

APIs

hardening with domain primitive library 119–120

application-focused tests 211–212

APT attacks 272, 274

audit trails 257, 264

auditability. See traceability

automated testing 210–213

availability 9, 90–92, 213, 265–266, 269. See also CIA-T

avoid logging to file 263

defined 237

designing for 237–244

in microservices 330

logging as a service and 263–266

testing for 213–215

estimating headroom 213–215

exploiting domain rules 215

B

backing services 252, 260

backtracking, regular expression 200–201

bad data 244–249

echoing input verbatim, avoiding 247–248

never repair 245–247

overview 244

XSS Polyglots 248–249

bank robbery example 5–6

Bees with Machine Guns 214

Billion Laughs attack 23–29

boundary behavior testing 194–197

boundary input testing 191, 194–197

bounded contexts 77–85

context mapping 83–85, 329

identifying 78–81

identifying in legacy code 296

interactions between 81–85

language, model and 78

microservices as 325–329

API design 326–328

semantics and evolving services 329

splitting monoliths 328

ubiquitous language and 77–78

bug bounty programs 350–351

builder pattern

ambiguous parameters and 297–299

for upholding advanced constraints 151–154

bulkheads 241–243

business concerns, security concerns equal priority as 19–20

business exceptions 225–232

C

centralized load balancing, in cloud environments 269–270

change, increasing to reduce risk 272

checklist, security code review 345

checksums 109–110

CIA-T (confidentiality, integrity, availability, and traceability) 8–9, 213, 237, 330–331

circuit breakers 238–241

classes, explicit concepts as 45

client-side load balancing, in cloud environments 270–271

closed state, of circuit breakers 239

cloud environments

admin tasks 266–269

configuration, storing 253–258

in code, avoiding 254–255

in environment 256–258

in resource files, avoiding 255–256

load balancing 269–271

centralized 269–270

client-side 270–271

logging in 261–266

as a service 263–266

to file on disk, avoid 261–263

overview 251–252

running apps as separate processes 258–261

processing instances don’t hold state 259–260

security benefits 261

Three R’s, enterprise security 271–277

increase change to reduce risk 272–273

repairing vulnerable software 276–277

repaving servers 274–275

rotating secrets 273–274

cloud-native applications, defined 253

code security reviews 344–346

codebase, in twelve-factor app 252

collections, securing integrity of 160–163

Command Query Responsibility Segregation (CQRS) 178

command-query separation (CQS) principle 148

concurrency, in twelve-factor app 252

confidentiality 7, 213, 264, 266, 269. See also CIA-T

in microservices 330

logging as a service and 264–265

logging to file and 262

through domain-oriented logger API 337–341

configuration

storing (cloud environments) 253–258

encryption 257–258

in code, avoiding 254–255

in environment 256–258

in resource files, avoiding 255–256

validating 216–221

automated tests 218–219

causes of configuration-related security flaws 216–218

overview 216

verifying implicit behaviors 219–221

configuration hot spots 218

confirmation bias 129

constructors

number of 154

upholding invariants in 99–101

containers 242, 275

context-driven testing 349–350

context mapping 83–85, 329

contracts. See also Design by Contract

as solution to defensive code constructs 308–309

Conway’s Law 84

CQRS (Command Query Responsibility Segregation) 178

CQS (command-query separation) principle 148

credentials

ephemeral 273–274

in code 255

credit card numbers, respresented by strings 42

critical complexity 52

cross-site scripting (XSS) attacks 12, 245, 247, 248–249

cryptographic hash function 334

D

data integrity. See integrity

data leaks

caused by evolving code 125–127

implicit, identifying 304–305

data syntax, checking 109–110

data transfer objects (DTOs) 120

DDD (Domain-Driven Design)

bounded contexts 77–85

context mapping 83–85, 329

identifying 78–81

interactions between 81–85

language, model and 78

ubiquitous language and 77–78

models in 51–77

as simplifications 53–56

building blocks for 65–77

capturing deep understanding 59–61

choosing 61–62

forming ubiquitous language 63–65

strictness of 56–59

terminology 56

overview 49–51

DDoS (distributed denial of service) attacks 213–215

decision-making 11

deep modeling 43–46

deep understanding, capturing 59–61

defensive code constructs 305–310

contracts and domain primitives as solution to 308–309

example 306–308

optional data types in 309–310

delivery pipelines 190–191, 346, 349

denial of service (DoS) attacks 109, 213–215

dependencies

DRY principle and 311–312

hidden 242

in twelve-factor app 252

Dependency Inversion Principle 10

design, defining 9–11

design approach to security 14–21

advantages of 18–21

example 15–18

Design by Contract

coining of term 95

example 95–97

DevOps culture 344, 353

direct approach, to replacing ambiguous parameter lists 299–300

discovery approach, to replacing ambiguous parameter lists 300–302

disposability, in twelve-factor app 252

distilling models 61–62

distributed denial of service (DDoS) attacks 213–215

distributed monolith 323

Document Type Definition (DTD) 22–23

domain, defined 56

domain DoS attacks 215

domain exceptions 236

domain focus 20

domain language 63–64

domain model

as simplifications 53–56

building blocks for 65–77

aggregates 73–77

entities 66–70

value objects 70–73

capturing deep understanding 59–60

circuit breakers and 240–241

choosing 61–62

defined 56

forming ubiquitous language 63–65

strictness of 56–59

terminology 56

domain primitives 17, 114–136

advantages of using 132

as smallest building blocks 114–118

as solution to defensive code constructs 308–309

context boundaries and 116–118

in entities, when to use 132–133

library of

hardening APIs with 119–120

overview 118–119

overview 114

partial, in legacy codebases 316–321

encompassing conceptual whole 319–321

implicit, contextual currency 317–319

read-once objects as 121–127

replacing ambiguous parameters with 298

where to apply in legacy code 296–297

domain rules 192, 215

DoS (denial of service) attacks 109, 213–215

DRY (Don’t Repeat Yourself) principle 82

defined 82

misapplications of 310–313

false negatives 312–313

false positives 311

problems caused by 311–312

syntactic duplication 81–83

DTD (Document Type Definition) 22

DTOs (data transfer objects) 120

dynamic tests 193

E

echoing input verbatim, avoiding 247–248

eclectic approach to software security 21

Eiffel programming language 97

encryption 257–258

Enterprise Resource Planning (ERP) 57

enterprise security, in cloud environments (three R’s) 271–277

increasing change to reduce risk 272

repairing vulnerable software 276–277

repaving servers 274–275

rotating secrets 273–274

entities 66–70

consistent on creation 140–146

catching advanced constraints 149–151

construction with fluent interface 147–149

example when not 140

mandatory fields as constructor arguments 143–146

no-arg constructors, problems with 140–143

ORM frameworks and advanced constraints 155

upholding advanced constraints, builder pattern for 151–154

decluttering 129–132

domain primitives in 132–133

general discussion 127–129

integrity of 156–163

getter and setter methods 156–157

mutable objects, avoiding sharing of 158–160

securing integrity of collections 160–163

locked 178–179

managing mutable states using 138–139

partially immutable 166–168, 187

security vulnerabilities and 127

entity expansion, XML 23–25, 28. See also Billion Laughs Attack

entity relay 181–188

example 181–183

splitting state graph into phases 183–186

when to form 186–188

entity snapshots 174–180

changing state of underlying entity 177–180

entities represented with immutable objects 175–177

overview 174–175

when to use 180

entity state graphs, complicated 181

entity state objects 168–174

implementing entity state as separate object 172–174

overview 168

upholding entity state rules 168–172

ERP (Enterprise Resource Planning) 57

estimating headroom 213–215

Evans, Eric 50, 74, 147

exceptions

handling failures without 232–237

intermixing, business and technical 226–227

using for failures 224–232

exception payload 231–232

handling exceptions 227–230

overview 224–225

throwing exceptions 225–227

explicit domain exceptions 229–230

externally unique identifiers 68

extreme input testing 191, 200–201

F

failures

as different from exceptions 232–234

fail-fast approach 101–102, 240

handling without exceptions 232–237

using exceptions for 224–232

exception payload 231–232

handling exceptions 227–230

overview 224–225

throwing exceptions 225–227

fallback answers 240

feature toggles 201–210

as developmental tool 202–205

auditing 209

example of mishap with 201–202

testing 205–209

automatically 205

multiple toggles 209

features, vs. security concerns 5–8

findFirst method 227

flow-of-materials systems 57

fluent interface 147–149

G

gambling sites, online 172

getter methods 156–157

global exception handlers 228, 231

globally unique identifiers 68

H

Hack the Pentagon program 351

half-open state, of circuit breakers 239

headroom, estimating 213–215

I

IaC (infrastructure as code) 212

identity , of entities 66–69

immutability 88–95

immutable entities, partially 166–168

immutable objects entities represented with 174–177

implicit behaviors, verifying configuration 219–221

implicit concepts

making them explicit 45–46

shallow modeling 40–43

incident handling 354

independent runtimes, microservices 324

independent updates, microservices 324

indirect coupling, between feature toggles 209

infinite timeouts 240

infrastructure as code (IaC) 212

infrastructure-focused tests 211–212

injection attack, See <script>alert('pwned')</script>

input, echoing verbatim 247–248

input validation 102

integrity 8, 90, 92–94, 266, 269. See also CIA-T

in microservices 330

logging as a service and 265

logging to file and 262

of aggregated log data 333–334

internal XML entities 22–23

invalid input, testing for 191, 197–200

invariants 73

advanced constraints as 149–151

domain primitives and 114–116

internal, in entities 67

upholding in constructors 99–101

J

JavaBeans specification 146

java.util.Date class 159

JPA (Java Persistence API) 142–143. See also ORM

K

keywords, synchronized 89, 166, 174

L

least privilege principle 258

legacy codebases

ambiguous parameter lists in, replacing 297–303

direct approach 299–300

discovery approach 300–302

new API approach 302–303

defensive code constructs in 305–310

contracts and domain primitives as solution to 308–309

example 306–308

optional data types in 309–310

defined 295

domain primitives in 296–297

domain primitives in, partial 316–321

encompassing conceptual whole 319–320

implicit, contextual currency 317–319

DRY principle misapplied in 310–313

false negatives 312–313

false positives 311

problems caused by 311–312

insufficient testing in 315–316

insufficient validation in domain types in 313–315

logging unchecked strings in 303–305

identifying 303–304

identifying implicit data leakage 304–305

length check, validation 103, 105–106

lexical content, check 

validation 103, 107–109

Billion Laughs attack 25–29

load balancing, in cloud environments 269–271

centralized 269–270

client-side 270

logging

in cloud environments 261–266

as a service 263–266

to file on disk, avoid 261–263

in microservices 332–341

confidentiality through a domain-oriented logger API 337–341

integrity of aggregated log data 333–334

traceability in log data 334–337

in twelve-factor app 253

levels 337

unchecked strings in legacy codebases 303–305

identifying 303–304

identifying implicit data leakage 304–305

login page 7

M

mandatory fields, as constructor arguments 143–146

message queues 242

microservices

as bounded context 325–329

API design 326–328

semantics and evolving services 329

splitting monoliths 328

designed for down 324

independent runtimes 324

independent updates 324

logging in 332–341

confidentiality through a domain-oriented logger API 337–341

integrity of aggregated log data 333–334

traceability in log data 334–337

overview 323

sensitive data across 329–332

broad meaning of sensitive 331–332

CIA-T in microservice architecture 330–331

microservices architecture 292, 323

models. See domain model

monoliths, splitting 328

mutability, issues with 88–94

mutable objects, avoiding sharing of 158–160

mutable states

managing using entities 138–139

overview 137–138

N

network security 332

new API approach, to replacing ambiguous parameter lists 302–303

no-arg constructors 140–143

normal input testing 191, 193–194

normalizing log data 334

O

object management systems 57

object-relational mapper framework 142–143, 155

online gambling sites 172

open state, of circuit breakers 239

Open Web Application Security Project. See OWASP

operational constraints 28

optional data types 309–310

origin of data, checking 103–105

ORM frameworks

no-arg constructors 142–143

advanced constraints 155

Öst-Götha Bank robbery 5–6

overcluttered entity methods

decluttering 129–132

general discussion 127–129

OWASP (Open Web Application Security Project) 24

Builders’ community 358

Top 10 12, 351

P

PaaS (Platform-as-a-Service) 253, 270, 273

parameter lists, ambiguous , replacing

direct approach 299–300

discovery approach 299–302

new API approach 299, 302–303

parser configuration 23–24

parsers, as target of DoS attacks 109

partially immutable entities 166–168

passwords

as domain primitive 124–125

in code 255

treated as ephemeral 273–274

penetration testing 12, 21, 347–351

challenging design using 348

context-driven testing 349–350

frequency of 349

learning from feedback from 349

reports of results from 357–358

Platform-as-a-Service (PaaS) 253, 270, 273

port binding 252

Postel’s Law 27

preconditions 95–99

prioritizing work, on vulnerabilities 347

problem resolution 353–355

processes, in twelve-factor app 252

propagation policy, tainting 134

Q

queues 238

R

race condition 165–166

Reactive Manifesto 243–244

reactive systems 243–244

read-once objects 121–127

detecting unintentional use 123–125

domain primitives as 121–127

example 121–123

overview 121

read-once pattern. See read-once objects

repairing vulnerable software 276–277

repaving servers 274–275

resilience 237, 356–358

responsiveness 238

robbery example 5–6

root of aggregates 75

rotating

logs 269

secrets 273–274

S

SAX parser (Simple API for XML) 25

second-order attacks 245

secrets

rotating 273–274

sharing 257

storing

in code, avoiding 254–255

in resources files, avoiding 255–256

secure entities, replacing ambiguous parameters with 298

security

studying field of 351–353

thinking explicitly about 14

traditional approach to 11–14

security code review checklist 345

security concerns

categorizing 8–9

vs. features 5–8

security in depth 28–29

security incident mechanism 353–358

incident handling 354

problem resolution 354–355

semantic versioning 335–336

semantics 78

changing, between microservices 329

checking, validation 103, 110–111

sensitive data, across microservices 329–332

broad meaning of sensitive 331–332

CIA-T in microservice architecture 330–331

servers, repaving 274–275

service discovery 270

service methods, rules embedded in 169

services, separating 280–281

set/get naming convention 146

setter-based initialization 141

shallow modeling 40–43

how emerges 41–42

implicit concepts 42–43

single-threaded shielding environment 166

Single Writer Principle 178

size of data, validation 103, 105–106

slow systems 238

Social Security numbers (SSNs), represented by strings 42

ssh access 267

standard systems 57

stateless requests, processes serving 259–260, 261

strictness of domain models 56

strings

credit card numbers respresented by 42

Social Security numbers respresented by 42

unchecked, in legacy codebases 303–305

identifying 303–304

identifying implicit data leakage 304–305

structs, entities as  169

synchronized keywords 89–94, 125–126, 166, 174–175, 180

syntax, validation 103, 109–110

system theory 356

T

taint analysis 133–136

technical exceptions 225–227, 236

testing 191–201. See also penetration testing

automated 210–213

boundary behavior 194–197

feature toggles 205–209

for availability 213–215

estimating headroom 213–215

exploiting domain rules 215

multiple toggles 209

normal behavior 193–194

of the extreme 200–201

only good enough, in legacy code 315–316

overview 191–192

with input that causes eventual harm 199

with invalid input 197–198

thread contention 89

Three R’s of Enterprise Security 271–277

timeouts 239

toggles. See feature toggles

tokenizers 107

Tolerant Reader pattern 27

traceability 9. See also logging

in log data 334–337

in microservices 330–331

traditional approach to security 11–14

transactions, identifying across system 336–337

twelve-factor app, defined 252

U

ubiquitous language 63–65, 77–78

unchecked strings in legacy codebases, logging 303–305

identifying 303–304

identifying implicit data leakage 304–305

untainting 133–135

use cases 6

V

Validate utility class 98, 101

validation 102

configuration 216–221

automated tests 218–219

causes of configuration-related security flaws 216–218

overview 216

verifying implicit behaviors 219–221

data semantics 110–111

data syntax 109–110

insufficient, in legacy code 313–315

lexical content of data 107–109

origin of data, checking 103–105

overview 102

repairing data, never before 245–247

size of data 105–106

value objects 17, 70–75, 114–115, 121, 159, 314. See also domain primitives

VMs (virtual machines) 242, 274–275

vulnerable software, repairing 276–277

W

Wolff’s law 356–358

work queues 238

X

XML (Extensible Markup Language) 22–29

Billion Laughs attack 23–29

internal XML entities 22–23

lexical content check 107–108

XSS (cross-site scripting) attacks 12–13,199–200, 245–249

XSS polyglots 248–249

logging (continued)