Learn application security from the very start, with this comprehensive and approachable guide!
Alice and Bob Learn Application Security is an accessible and thorough resource for anyone seeking to incorporate, from the beginning of the System Development Life Cycle, best security practices in software development. This book covers all the basic subjects such as threat modeling and security testing, but also dives deep into more complex and advanced topics for securing modern software systems and architectures. Throughout, the book offers analogies, stories of the characters Alice and Bob, real-life examples, technical explanations and diagrams to ensure maximum clarity of the many abstract and complicated subjects.
Topics include:
- Secure requirements, design, coding, and deployment
- Security Testing (all forms)
- Common Pitfalls
- Application Security Programs
- Securing Modern Applications
- Software Developer Security Hygiene
Alice and Bob Learn Application Security is perfect for aspiring application security engineers and practicing software developers, as well as software project managers, penetration testers, and chief information security officers who seek to build or improve their application security programs.
Alice and Bob Learn Application Security illustrates all the included concepts with easy-to-understand examples and concrete practical applications, furthering the reader's ability to grasp and retain the foundational and advanced topics contained within.
Table of Contents
Foreword xxi
Introduction xxiii
Part I What You Must Know to Write Code Safe Enough to Put on the Internet 1
Chapter 1 Security Fundamentals 3
The Security Mandate: CIA 3
Confidentiality 4
Integrity 5
Availability 5
Assume Breach 7
Insider Threats 8
Defense in Depth 9
Least Privilege 11
Supply Chain Security 11
Security by Obscurity 13
Attack Surface Reduction 14
Hard Coding 15
Never Trust, Always Verify 15
Usable Security 17
Factors of Authentication 18
Exercises 20
Chapter 2 Security Requirements 21
Requirements 22
Encryption 23
Never Trust System Input 24
Encoding and Escaping 28
Third-Party Components 29
Security Headers: Seatbelts for Web Apps 31
Security Headers in Action 32
X-XSS-Protection 32
Content-Security-Policy (CSP) 32
X-Frame-Options 35
X-Content-Type-Options 36
Referrer-Policy 36
Strict-Transport-Security (HSTS) 37
Feature-Policy 38
X-Permitted-Cross-Domain-Policies 39
Expect-CT 39
Public Key Pinning Extension for HTTP (HPKP) 41
Securing Your Cookies 42
The Secure Flag 42
The HttpOnly Flag 42
Persistence 43
Domain 43
Path 44
Same-Site 44
Cookie Prefixes 45
Data Privacy 45
Data Classification 45
Passwords, Storage, and Other Important Decisions 46
HTTPS Everywhere 52
TLS Settings 53
Comments 54
Backup and Rollback 54
Framework Security Features 54
Technical Debt = Security Debt 55
File Uploads 56
Errors and Logging 57
Input Validation and Sanitization 58
Authorization and Authentication 59
Parameterized Queries 59
URL Parameters 60
Least Privilege 60
Requirements Checklist 61
Exercises 63
Chapter 3 Secure Design 65
Design Flaw vs. Security Bug 66
Discovering a Flaw Late 67
Pushing Left 68
Secure Design Concepts 68
Protecting Sensitive Data 68
Never Trust, Always Verify/Zero Trust/Assume Breach 70
Backup and Rollback 71
Server-Side Security Validation 73
Framework Security Features 74
Security Function Isolation 74
Application Partitioning 75
Secret Management 76
Re-authentication for Transactions (Avoiding CSRF) 76
Segregation of Production Data 77
Protection of Source Code 77
Threat Modeling 78
Exercises 82
Chapter 4 Secure Code 83
Selecting Your Framework and Programming Language 83
Example #1 85
Example #2 85
Example #3 86
Programming Languages and Frameworks: The Rule 87
Untrusted Data 87
HTTP Verbs 89
Identity 90
Session Management 91
Bounds Checking 93
Authentication (AuthN) 94
Authorization (AuthZ) 96
Error Handling, Logging, and Monitoring 99
Rules for Errors 100
Logging 100
Monitoring 101
Exercises 103
Chapter 5 Common Pitfalls 105
OWASP 105
Defenses and Vulnerabilities Not Previously Covered 109
Cross-Site Request Forgery 110
Server-Side Request Forgery 112
Deserialization 114
Race Conditions 115
Closing Comments 117
Exercises 117
Part II What You Should Do to Create Very Good Code 119
Chapter 6 Testing and Deployment 121
Testing Your Code 121
Code Review 122
Static Application Security Testing (SAST) 123
Software Composition Analysis (SCA) 125
Unit Tests 126
Infrastructure as Code (IaC) and Security as Code (SaC) 128
Testing Your Application 129
Manual Testing 130
Browsers 131
Developer Tools 131
Web Proxies 132
Fuzzing 133
Dynamic Application Security Testing (DAST) 133
VA/Security Assessment/PenTest 135
Testing Your Infrastructure 141
Testing Your Database 141
Testing Your APIs and Web Services 142
Testing Your Integrations 143
Testing Your Network 144
Deployment 145
Editing Code Live on a Server 146
Publishing from an IDE 146
“Homemade” Deployment Systems 147
Run Books 148
Contiguous Integration/Continuous Delivery/Continuous Deployment 148
Exercises 149
Chapter 7 An AppSec Program 151
Application Security Program Goals 152
Creating and Maintaining an Application Inventory 153
Capability to Find Vulnerabilities in Written, Running, and Third-Party Code 153
Knowledge and Resources to Fix the Vulnerabilities 154
Education and Reference Materials 155
Providing Developers with Security Tools 155
Having One or More Security Activities During Each Phase of Your SDLC 156
Implementing Useful and Effective Tooling 157
An Incident Response Team That Knows When to Call You 157
Continuously Improve Your Program Based on Metrics, Experimentation, and Feedback 159
Metrics 159
Experimentation 161
Feedback from Any and All Stakeholders 161
A Special Note on DevOps and Agile 162
Application Security Activities 162
Application Security Tools 164
Your Application Security Program 165
Exercises 166
Chapter 8 Securing Modern Applications and Systems 167
APIs and Microservices 168
Online Storage 171
Containers and Orchestration 172
Serverless 174
Infrastructure as Code (IaC) 175
Security as Code (SaC) 177
Platform as a Service (PaaS) 178
Infrastructure as a Service (IaaS) 179
Continuous Integration/Delivery/Deployment 180
Dev(Sec)Ops 180
DevSecOps 182
The Cloud 183
Cloud Computing 183
Cloud Native 184
Cloud Native Security 185
Cloud Workflows 185
Modern Tooling 186
IAST Interactive Application Security Testing 186
Runtime Application Security Protection 187
File Integrity Monitoring 187
Application Control Tools (Approved Software Lists) 187
Security Tools Created for DevOps Pipelines 188
Application Inventory Tools 188
Least Privilege and Other Policy Automation 189
Modern Tactics 189
Summary 191
Exercises 191
Part III Helpful Information on How to Continue to Create Very Good Code 193
Chapter 9 Good Habits 195
Password Management 196
Remove Password Complexity Rules 196
Use a Password Manager 197
Passphrases 198
Don’t Reuse Passwords 198
Do Not Implement Password Rotation 199
Multi-Factor Authentication 199
Incident Response 200
Fire Drills 201
Continuous Scanning 202
Technical Debt 202
Inventory 203
Other Good Habits 204
Policies 204
Downloads and Devices 204
Lock Your Machine 204
Privacy 205
Summary 206
Exercises 206
Chapter 10 Continuous Learning 207
What to Learn 208
Offensive = Defensive 208
Don’t Forget Soft Skills 208
Leadership != Management 209
Learning Options 209
Accountability 212
Create Your Plan 213
Take Action 214
Exercises 214
Learning Plan 216
Chapter 11 Closing Thoughts 217
Lingering Questions 218
When Have You Done Enough? 218
How Do You Get Management on Board? 220
How Do You Get Developers on Board? 221
Where Do You Start? 222
Where Do You Get Help? 223
Conclusion 223
Appendix A Resources 225
Introduction 225
Chapter 1: Security Fundamentals 225
Chapter 2: Security Requirements 226
Chapter 3: Secure Design 227
Chapter 4: Secure Code 228
Chapter 5: Common Pitfalls 228
Chapter 6: Testing and Deployment 229
Chapter 7: An AppSec Program 229
Chapter 8: Securing Modern Applications and Systems 230
Chapter 9: Good Habits 231
Chapter 10: Continuous Learning 231
Appendix B Answer Key 233
Chapter 1: Security Fundamentals 233
Chapter 2: Security Requirements 235
Chapter 3: Secure Design 236
Chapter 4: Secure Code 238
Chapter 5: Common Pitfalls 241
Chapter 6: Testing and Deployment 242
Chapter 7: An AppSec Program 244
Chapter 8: Securing Modern Applications and Systems 245
Chapter 9: Good Habits 247
Chapter 10: Continuous Learning 248
Index 249