Muutke küpsiste eelistusi

Alice and Bob Learn Application Security [Pehme köide]

4.28/5 (149 hinnangut Goodreads-ist)
  • Formaat: Paperback / softback, 288 pages, kõrgus x laius x paksus: 231x185x23 mm, kaal: 408 g
  • Ilmumisaeg: 04-Dec-2020
  • Kirjastus: John Wiley & Sons Inc
  • ISBN-10: 1119687357
  • ISBN-13: 9781119687351
Teised raamatud teemal:
  • Pehme köide
  • Hind: 48,28 €*
  • * hind on lõplik, st. muud allahindlused enam ei rakendu
  • Tavahind: 56,80 €
  • Säästad 15%
  • Raamatu kohalejõudmiseks kirjastusest kulub orienteeruvalt 2-4 nädalat
  • Kogus:
  • Lisa ostukorvi
  • Tasuta tarne
  • Tellimisaeg 2-4 nädalat
  • Lisa soovinimekirja
Alice and Bob Learn Application SecuritySuurem pilt
  • Formaat: Paperback / softback, 288 pages, kõrgus x laius x paksus: 231x185x23 mm, kaal: 408 g
  • Ilmumisaeg: 04-Dec-2020
  • Kirjastus: John Wiley & Sons Inc
  • ISBN-10: 1119687357
  • ISBN-13: 9781119687351
Teised raamatud teemal:
Püsilink: https://www.kriso.ee/db/9781119687351.html
Märksõnad:

Learn application security from the very start, with this comprehensive and approachable guide! 

Alice and Bob Learn Application Security is an accessible and thorough resource for anyone seeking to incorporate, from the beginning of the System Development Life Cycle, best security practices in software development. This book covers all the basic subjects such as threat modeling and security testing, but also dives deep into more complex and advanced topics for securing modern software systems and architectures. Throughout, the book offers analogies, stories of the characters Alice and Bob, real-life examples, technical explanations and diagrams to ensure maximum clarity of the many abstract and complicated subjects. Topics include: 

·         Secure requirements, design, coding, and deployment 

·         Security Testing (all forms) 

·         Common Pitfalls 

·         Application Security Programs 

·         Securing Modern Applications 

·         Software Developer Security Hygiene  

Alice and Bob Learn Application Security is perfect for aspiring application security engineers and practicing software developers, as well as software project managers, penetration testers, and chief information security officers who seek to build or improve their application security programs. 

Alice and Bob Learn Application Security illustrates all the included concepts with easy-to-understand examples and concrete practical applications, furthering the reader’s ability to grasp and retain the foundational and advanced topics contained within. 

Introduction xxi
Part I What You Must Know to Write Code Safe Enough to Put on the Internet
1(118)
Chapter 1 Security Fundamentals
3(18)
The Security Mandate: CIA
3(4)
Confidentiality
4(1)
Integrity
5(1)
Availability
5(2)
Assume Breach
7(1)
Insider Threats
8(1)
Defense in Depth
9(2)
Least Privilege
11(1)
Supply Chain Security
11(2)
Security by Obscurity
13(1)
Attack Surface Reduction
14(1)
Hard Coding
15(1)
Never Trust, Always Verify
15(2)
Usable Security
17(1)
Factors of Authentication
18(2)
Exercises
20(1)
Chapter 2 Security Requirements
21(44)
Requirements
22(20)
Encryption
23(1)
Never Trust System Input
24(4)
Encoding and Escaping
28(1)
Third-Party Components
29(2)
Security Headers: Seatbelts for Web Apps
31(1)
Security Headers in Action
32(1)
X-XSS-Protection
32(1)
Content-Security-Policy (CSP)
32(3)
X-Frame-Options
35(1)
X-Content-Type-Options
36(1)
Referrer-Policy
36(1)
Strict-Transport-Security (HSTS)
37(1)
Feature-Policy
38(1)
X-Permitted-Cross-Domain-Policies
39(1)
Expect-CT
39(2)
Public Key Pinning Extension for HTTP (HPKP)
41(1)
Securing Your Cookies
42(4)
The Secure Flag
42(1)
The HttpOnly Flag
42(1)
Persistence
43(1)
Domain
43(1)
Path
44(1)
Same-Site
44(1)
Cookie Prefixes
45(1)
Data Privacy
45(1)
Data Classification
45(1)
Passwords, Storage, and Other Important Decisions
46(8)
HTTPS Everywhere
52(1)
TLS Settings
53(1)
Comments
54(1)
Backup and Rollback
54(1)
Framework Security Features
54(1)
Technical Debt = Security Debt
55(1)
File Uploads
56(1)
Errors and Logging
57(1)
Input Validation and Sanitization
58(1)
Authorization and Authentication
59(1)
Parameterized Queries
59(1)
URL Parameters
60(1)
Least Privilege
60(1)
Requirements Checklist
61(2)
Exercises
63(2)
Chapter 3 Secure Design
65(18)
Design Flaw vs. Security Bug
66(2)
Discovering a Flaw Late
67(1)
Pushing Left
68(1)
Secure Design Concepts
68(9)
Protecting Sensitive Data
68(2)
Never Trust, Always Verify/Zero Trust/Assume Breach
70(1)
Backup and Rollback
71(2)
Server-Side Security Validation
73(1)
Framework Security Features
74(1)
Security Function Isolation
74(1)
Application Partitioning
75(1)
Secret Management
76(1)
Re-authentication for Transactions (Avoiding CSRF)
76(1)
Segregation of Production Data
77(1)
Protection of Source Code
77(1)
Threat Modeling
78(4)
Exercises
82(1)
Chapter 4 Secure Code
83(22)
Selecting Your Framework and Programming Language
83(4)
Example #1
85(1)
Example #2
85(1)
Example #3
86(1)
Programming Languages and Frameworks: The Rule
87(1)
Untrusted Data
87(2)
HTTP Verbs
89(1)
Identity
90(1)
Session Management
91(2)
Bounds Checking
93(1)
Authentication (AuthN)
94(2)
Authorization (AuthZ)
96(3)
Error Handling, Logging, and Monitoring
99(4)
Rules for Errors
100(1)
Logging
100(1)
Monitoring
101(2)
Exercises
103(2)
Chapter 5 Common Pitfalls
105(14)
OWASP
105(4)
Defenses and Vulnerabilities Not Previously Covered
109(6)
Cross-Site Request Forgery
110(2)
Server-Side Request Forgery
112(2)
Deserialization
114(1)
Race Conditions
115(2)
Closing Comments
117(1)
Exercises
117(2)
Part II What You Should Do to Create Very Good Code
119(74)
Chapter 6 Testing and Deployment
121(30)
Testing Your Code
121(8)
Code Review
122(1)
Static Application Security Testing (SAST)
123(2)
Software Composition Analysis (SCA)
125(1)
Unit Tests
126(2)
Infrastructure as Code (IaC) and Security as Code (SaC)
128(1)
Testing Your Application
129(12)
Manual Testing
130(1)
Browsers
131(1)
Developer Tools
131(1)
Web Proxies
132(1)
Fuzzing
133(1)
Dynamic Application Security Testing (DAST)
133(2)
VA/Security Assessment/PenTest
135(6)
Testing Your Infrastructure
141(1)
Testing Your Database
141(1)
Testing Your APIs and Web Services
142(1)
Testing Your Integrations
143(1)
Testing Your Network
144(1)
Deployment
145(4)
Editing Code Live on a Server
146(1)
Publishing from an IDE
146(1)
"Homemade" Deployment Systems
147(1)
Run Books
148(1)
Contiguous Integration/Continuous Delivery/Continuous Deployment
148(1)
Exercises
149(2)
Chapter 7 An AppSec Program
151(16)
Application Security Program Goals
152(10)
Creating and Maintaining an Application Inventory
153(1)
Capability to Find Vulnerabilities in Written, Running, and Third-Party Code
153(1)
Knowledge and Resources to Fix the Vulnerabilities
154(1)
Education and Reference Materials
155(1)
Providing Developers with Security Tools
155(1)
Having One or More Security Activities During Each Phase of Your SDLC
156(1)
Implementing Useful and Effective Tooling
157(1)
An Incident Response Team That Knows When to Call You
157(2)
Continuously Improve Your Program Based on Metrics, Experimentation, and Feedback
159(1)
Metrics
159(2)
Experimentation
161(1)
Feedback from Any and All Stakeholders
161(1)
A Special Note on DevOps and Agile
162(1)
Application Security Activities
162(2)
Application Security Tools
164(2)
Your Application Security Program
165(1)
Exercises
166(1)
Chapter 8 Securing Modern Applications and Systems
167(26)
APIs and Microservices
168(3)
Online Storage
171(1)
Containers and Orchestration
172(2)
Serverless
174(1)
Infrastructure as Code (IaC)
175(2)
Security as Code (SaC)
177(1)
Platform as a Service (PaaS)
178(1)
Infrastructure as a Service (IaaS)
179(1)
Continuous Integration/Delivery/Deployment
180(1)
Dev(Sec)Ops
180(3)
DevSecOps
182(1)
The Cloud
183(2)
Cloud Computing
183(1)
Cloud Native
184(1)
Cloud Native Security
185(1)
Cloud Workflows
185(1)
Modern Tooling
186(3)
IAST Interactive Application Security Testing
186(1)
Runtime Application Security Protection
187(1)
File Integrity Monitoring
187(1)
Application Control Tools (Approved Software Lists)
187(1)
Security Tools Created for DevOps Pipelines
188(1)
Application Inventory Tools
188(1)
Least Privilege and Other Policy Automation
189(1)
Modern Tactics
189(2)
Summary
191(1)
Exercises
191(2)
Part III Helpful Information on How to Continue to Create Very Good Code
193(32)
Chapter 9 Good Habits
195(12)
Password Management
196(3)
Remove Password Complexity Rules
196(1)
Use a Password Manager
197(1)
Passphrases
198(1)
Don't Reuse Passwords
198(1)
Do Not Implement Password Rotation
199(1)
Multi-Factor Authentication
199(1)
Incident Response
200(1)
Fire Drills
201(1)
Continuous Scanning
202(1)
Technical Debt
202(1)
Inventory
203(1)
Other Good Habits
204(2)
Policies
204(1)
Downloads and Devices
204(1)
Lock Your Machine
204(1)
Privacy
205(1)
Summary
206(1)
Exercises
206(1)
Chapter 10 Continuous Learning
207(10)
What to Learn
208(6)
Offensive = Defensive
208(1)
Don't Forget Soft Skills
208(1)
Leadership != Management
209(1)
Learning Options
209(3)
Accountability
212(1)
Create Your Plan
213(1)
Take Action
214(1)
Exercises
214(2)
Learning Plan
216(1)
Chapter 11 Closing Thoughts
217(8)
Lingering Questions
218(5)
When Have You Done Enough?
218(2)
How Do You Get Management on Board?
220(1)
How Do You Get Developers on Board?
221(1)
Where Do You Start?
222(1)
Where Do You Get Help?
223(1)
Conclusion
223(2)
Appendix A Resources
225(8)
Introduction
225(1)
Chapter 1 Security Fundamentals
225(1)
Chapter 2 Security Requirements
226(1)
Chapter 3 Secure Design
227(1)
Chapter 4 Secure Code
228(1)
Chapter 5 Common Pitfalls
228(1)
Chapter 6 Testing and Deployment
229(1)
Chapter 7 An AppSec Program
229(1)
Chapter 8 Securing Modern Applications and Systems
230(1)
Chapter 9 Good Habits
231(1)
Chapter 10 Continuous Learning
231(2)
Appendix B Answer Key
233(16)
Chapter 1 Security Fundamentals
233(2)
Chapter 2 Security Requirements
235(1)
Chapter 3 Secure Design
236(2)
Chapter 4 Secure Code
238(3)
Chapter 5 Common Pitfalls
241(1)
Chapter 6 Testing and Deployment
242(2)
Chapter 7 An AppSec Program
244(1)
Chapter 8 Securing Modern Applications and Systems
245(2)
Chapter 9 Good Habits
247(1)
Chapter 10 Continuous Learning
248(1)
Index 249
Tanya Janca, also known as SheHacksPurple, is the founder of We Hack Purple, an online learning academy dedicated to teaching everyone how to create secure software. With over twenty years of IT and coding experience, she has won numerous awards and worked as a developer, pentester, and AppSec Engineer. She was named Hacker of the Year by the Cybersecurity Woman of the Year 2019 Awards and is the Founder of WoSEC International, #CyberMentoringMonday, and OWASP DevSlop.