A
admin processes, in twelve-factor app 253
admin tasks, in cloud environments 266–269
advanced constraints
invariants 149
ORM frameworks and 155
upholding, builder pattern for 151–154
ambiguous parameter lists, replacing 297–303
antifragility 356
APIs
hardening with domain primitive library 119–120
application-focused tests 211–212
auditability. See traceability
availability 9, 90–92, 213, 265–266, 269. See also CIA-T
avoid logging to file 263
defined 237
in microservices 330
logging as a service and 263–266
exploiting domain rules 215
B
backtracking, regular expression 200–201
echoing input verbatim, avoiding 247–248
overview 244
Bees with Machine Guns 214
boundary behavior testing 194–197
boundary input testing 191, 194–197
identifying in legacy code 296
language, model and 78
semantics and evolving services 329
splitting monoliths 328
builder pattern
ambiguous parameters and 297–299
for upholding advanced constraints 151–154
business concerns, security concerns equal priority as 19–20
C
centralized load balancing, in cloud environments 269–270
change, increasing to reduce risk 272
checklist, security code review 345
CIA-T (confidentiality, integrity, availability, and traceability) 8–9, 213, 237, 330–331
classes, explicit concepts as 45
client-side load balancing, in cloud environments 270–271
closed state, of circuit breakers 239
cloud environments
configuration, storing 253–258
in resource files, avoiding 255–256
to file on disk, avoid 261–263
running apps as separate processes 258–261
processing instances don’t hold state 259–260
security benefits 261
Three R’s, enterprise security 271–277
increase change to reduce risk 272–273
repairing vulnerable software 276–277
cloud-native applications, defined 253
codebase, in twelve-factor app 252
collections, securing integrity of 160–163
Command Query Responsibility Segregation (CQRS) 178
command-query separation (CQS) principle 148
concurrency, in twelve-factor app 252
confidentiality 7, 213, 264, 266, 269. See also CIA-T
in microservices 330
logging as a service and 264–265
logging to file and 262
through domain-oriented logger API 337–341
configuration
storing (cloud environments) 253–258
in resource files, avoiding 255–256
causes of configuration-related security flaws 216–218
overview 216
verifying implicit behaviors 219–221
configuration hot spots 218
confirmation bias 129
constructors
number of 154
upholding invariants in 99–101
context-driven testing 349–350
contracts. See also Design by Contract
as solution to defensive code constructs 308–309
Conway’s Law 84
CQRS (Command Query Responsibility Segregation) 178
CQS (command-query separation) principle 148
credentials
in code 255
credit card numbers, respresented by strings 42
critical complexity 52
cross-site scripting (XSS) attacks 12, 245, 247, 248–249
cryptographic hash function 334
D
data integrity. See integrity
data leaks
caused by evolving code 125–127
data transfer objects (DTOs) 120
DDD (Domain-Driven Design)
language, model and 78
capturing deep understanding 59–61
forming ubiquitous language 63–65
terminology 56
DDoS (distributed denial of service) attacks 213–215
decision-making 11
deep understanding, capturing 59–61
defensive code constructs 305–310
contracts and domain primitives as solution to 308–309
optional data types in 309–310
delivery pipelines 190–191, 346, 349
denial of service (DoS) attacks 109, 213–215
dependencies
hidden 242
in twelve-factor app 252
Dependency Inversion Principle 10
design approach to security 14–21
Design by Contract
coining of term 95
direct approach, to replacing ambiguous parameter lists 299–300
discovery approach, to replacing ambiguous parameter lists 300–302
disposability, in twelve-factor app 252
distributed denial of service (DDoS) attacks 213–215
distributed monolith 323
Document Type Definition (DTD) 22–23
domain, defined 56
domain DoS attacks 215
domain exceptions 236
domain focus 20
domain model
capturing deep understanding 59–60
defined 56
forming ubiquitous language 63–65
terminology 56
advantages of using 132
as smallest building blocks 114–118
as solution to defensive code constructs 308–309
context boundaries and 116–118
in entities, when to use 132–133
library of
overview 114
partial, in legacy codebases 316–321
encompassing conceptual whole 319–321
implicit, contextual currency 317–319
replacing ambiguous parameters with 298
where to apply in legacy code 296–297
DoS (denial of service) attacks 109, 213–215
DRY (Don’t Repeat Yourself) principle 82
defined 82
false positives 311
DTD (Document Type Definition) 22
DTOs (data transfer objects) 120
dynamic tests 193
E
echoing input verbatim, avoiding 247–248
eclectic approach to software security 21
Eiffel programming language 97
Enterprise Resource Planning (ERP) 57
enterprise security, in cloud environments (three R’s) 271–277
increasing change to reduce risk 272
repairing vulnerable software 276–277
consistent on creation 140–146
catching advanced constraints 149–151
construction with fluent interface 147–149
example when not 140
mandatory fields as constructor arguments 143–146
no-arg constructors, problems with 140–143
ORM frameworks and advanced constraints 155
upholding advanced constraints, builder pattern for 151–154
getter and setter methods 156–157
mutable objects, avoiding sharing of 158–160
securing integrity of collections 160–163
managing mutable states using 138–139
partially immutable 166–168, 187
security vulnerabilities and 127
entity expansion, XML 23–25, 28. See also Billion Laughs Attack
splitting state graph into phases 183–186
changing state of underlying entity 177–180
entities represented with immutable objects 175–177
when to use 180
entity state graphs, complicated 181
implementing entity state as separate object 172–174
overview 168
upholding entity state rules 168–172
ERP (Enterprise Resource Planning) 57
exceptions
handling failures without 232–237
intermixing, business and technical 226–227
explicit domain exceptions 229–230
externally unique identifiers 68
extreme input testing 191, 200–201
F
failures
as different from exceptions 232–234
fail-fast approach 101–102, 240
handling without exceptions 232–237
fallback answers 240
auditing 209
example of mishap with 201–202
automatically 205
multiple toggles 209
features, vs. security concerns 5–8
findFirst method 227
flow-of-materials systems 57
G
gambling sites, online 172
global exception handlers 228, 231
globally unique identifiers 68
H
Hack the Pentagon program 351
half-open state, of circuit breakers 239
I
IaC (infrastructure as code) 212
immutable entities, partially 166–168
immutable objects entities represented with 174–177
implicit behaviors, verifying configuration 219–221
implicit concepts
incident handling 354
independent runtimes, microservices 324
independent updates, microservices 324
indirect coupling, between feature toggles 209
infinite timeouts 240
infrastructure as code (IaC) 212
infrastructure-focused tests 211–212
injection attack, See <script>alert('pwned')</script>
input, echoing verbatim 247–248
input validation 102
integrity 8, 90, 92–94, 266, 269. See also CIA-T
in microservices 330
logging as a service and 265
logging to file and 262
of aggregated log data 333–334
invalid input, testing for 191, 197–200
invariants 73
advanced constraints as 149–151
internal, in entities 67
upholding in constructors 99–101
J
JavaBeans specification 146
java.util.Date class 159
JPA (Java Persistence API) 142–143. See also ORM
K
keywords, synchronized 89, 166, 174
L
least privilege principle 258
legacy codebases
ambiguous parameter lists in, replacing 297–303
defensive code constructs in 305–310
contracts and domain primitives as solution to 308–309
optional data types in 309–310
defined 295
domain primitives in, partial 316–321
encompassing conceptual whole 319–320
implicit, contextual currency 317–319
DRY principle misapplied in 310–313
false positives 311
insufficient testing in 315–316
insufficient validation in domain types in 313–315
logging unchecked strings in 303–305
identifying implicit data leakage 304–305
length check, validation 103, 105–106
lexical content, check
load balancing, in cloud environments 269–271
client-side 270
logging
to file on disk, avoid 261–263
confidentiality through a domain-oriented logger API 337–341
integrity of aggregated log data 333–334
traceability in log data 334–337
in twelve-factor app 253
levels 337
unchecked strings in legacy codebases 303–305
identifying implicit data leakage 304–305
login page 7
M
mandatory fields, as constructor arguments 143–146
message queues 242
microservices
semantics and evolving services 329
splitting monoliths 328
designed for down 324
independent runtimes 324
independent updates 324
confidentiality through a domain-oriented logger API 337–341
integrity of aggregated log data 333–334
traceability in log data 334–337
overview 323
broad meaning of sensitive 331–332
CIA-T in microservice architecture 330–331
microservices architecture 292, 323
models. See domain model
monoliths, splitting 328
mutable objects, avoiding sharing of 158–160
mutable states
managing using entities 138–139
N
network security 332
new API approach, to replacing ambiguous parameter lists 302–303
normal input testing 191, 193–194
normalizing log data 334
O
object management systems 57
object-relational mapper framework 142–143, 155
online gambling sites 172
open state, of circuit breakers 239
Open Web Application Security Project. See OWASP
operational constraints 28
origin of data, checking 103–105
ORM frameworks
advanced constraints 155
overcluttered entity methods
OWASP (Open Web Application Security Project) 24
Builders’ community 358
P
PaaS (Platform-as-a-Service) 253, 270, 273
parameter lists, ambiguous , replacing
parsers, as target of DoS attacks 109
partially immutable entities 166–168
passwords
in code 255
penetration testing 12, 21, 347–351
challenging design using 348
context-driven testing 349–350
frequency of 349
learning from feedback from 349
reports of results from 357–358
Platform-as-a-Service (PaaS) 253, 270, 273
port binding 252
Postel’s Law 27
prioritizing work, on vulnerabilities 347
processes, in twelve-factor app 252
propagation policy, tainting 134
Q
queues 238
R
detecting unintentional use 123–125
overview 121
read-once pattern. See read-once objects
repairing vulnerable software 276–277
responsiveness 238
root of aggregates 75
rotating
logs 269
S
SAX parser (Simple API for XML) 25
second-order attacks 245
secrets
sharing 257
storing
in resources files, avoiding 255–256
secure entities, replacing ambiguous parameters with 298
security
thinking explicitly about 14
security code review checklist 345
security concerns
security incident mechanism 353–358
incident handling 354
semantics 78
changing, between microservices 329
checking, validation 103, 110–111
sensitive data, across microservices 329–332
broad meaning of sensitive 331–332
CIA-T in microservice architecture 330–331
service discovery 270
service methods, rules embedded in 169
set/get naming convention 146
setter-based initialization 141
single-threaded shielding environment 166
Single Writer Principle 178
size of data, validation 103, 105–106
slow systems 238
Social Security numbers (SSNs), represented by strings 42
ssh access 267
standard systems 57
stateless requests, processes serving 259–260, 261
strictness of domain models 56
strings
credit card numbers respresented by 42
Social Security numbers respresented by 42
unchecked, in legacy codebases 303–305
identifying implicit data leakage 304–305
structs, entities as 169
synchronized keywords 89–94, 125–126, 166, 174–175, 180
syntax, validation 103, 109–110
system theory 356
T
technical exceptions 225–227, 236
testing 191–201. See also penetration testing
exploiting domain rules 215
multiple toggles 209
only good enough, in legacy code 315–316
with input that causes eventual harm 199
thread contention 89
Three R’s of Enterprise Security 271–277
timeouts 239
toggles. See feature toggles
tokenizers 107
Tolerant Reader pattern 27
traceability 9. See also logging
traditional approach to security 11–14
transactions, identifying across system 336–337
twelve-factor app, defined 252
U
ubiquitous language 63–65, 77–78
unchecked strings in legacy codebases, logging 303–305
identifying implicit data leakage 304–305
use cases 6
V
Validate utility class 98, 101
validation 102
causes of configuration-related security flaws 216–218
overview 216
verifying implicit behaviors 219–221
insufficient, in legacy code 313–315
lexical content of data 107–109
origin of data, checking 103–105
overview 102
repairing data, never before 245–247
value objects 17, 70–75, 114–115, 121, 159, 314. See also domain primitives
VMs (virtual machines) 242, 274–275
vulnerable software, repairing 276–277
W
work queues 238
X
XML (Extensible Markup Language) 22–29
XSS (cross-site scripting) attacks 12–13,199–200, 245–249
logging (continued)
18.217.116.183