Muutke küpsiste eelistusi

Application Security Program Handbook [Pehme köide]

3.94/5 (32 hinnangut Goodreads-ist)
  • Formaat: Paperback / softback, 296 pages, kõrgus x laius x paksus: 234x186x20 mm, kaal: 540 g
  • Ilmumisaeg: 26-Jan-2023
  • Kirjastus: Manning Publications
  • ISBN-10: 163343981X
  • ISBN-13: 9781633439818
Teised raamatud teemal:
Application Security Program HandbookSuurem pilt
  • Formaat: Paperback / softback, 296 pages, kõrgus x laius x paksus: 234x186x20 mm, kaal: 540 g
  • Ilmumisaeg: 26-Jan-2023
  • Kirjastus: Manning Publications
  • ISBN-10: 163343981X
  • ISBN-13: 9781633439818
Teised raamatud teemal:
Püsilink: https://www.kriso.ee/db/9781633439818.html
Märksõnad:
Stop dangerous threats and secure your vulnerabilities without slowing down delivery. This practical book is a one-stop guide to implementing a robust application security program.Application Security Program Handbook teaches you to implement a robust program of security throughout your development process. It goes well beyond the basics, detailing a flexible approach that can adapt and evolve to new and emerging threats. Follow the expert advice in this guide and you'll reliably deliver software that is free from security defects and critical vulnerabilities.

As a developer, you must build security into your software throughout its development lifecycle. This book addresses all the practices, tools, technology, people, and processes you need to reduce the risk of attacks and vulnerabilities in your software.

Application Security Program Handbook is full of strategies for setting up and maturing a security program for your development process. Its realistic recommendations take a service-oriented approach to application security that's perfectly suited to the fast-pace of modern development. Focused on the realities of software development, it shows you how to avoid making security a gated exercise.

Inside, you'll learn to assess the current state of your app's security, identify key risks to your organization, and measure the success of any defensive programs you deploy. You'll master common methodologies and practices that help safeguard your software, along with defensive tools you can use to keep your apps safe. With this handy reference guide by your side, you'll be able to implement reliable security in a way that doesn't impact your delivery speed.

RETAIL SELLING POINTS





 Application security tools you can use throughout the development lifecycle   Creating threat models   Mitigating web app vulnerabilities   Creating a DevSecOps pipeline   Application security as a service model   Reporting structures that highlight the value of application security   Creating a software security ecosystem that benefits development

AUDIENCE

For software developers, architects, team leaders, and project managers looking to implement security in their pipelines.

Arvustused

'It's impossible not to learn something from this.'George Onofrei 'Do you want to get your hold back on the concepts of Application Security, then this is a fantastic book for you. Get it now!'Krishna Anipindi 'A book like this should be a must to start your career or to understand you are doing things right.'Nikolaos Alexiou

Foreword ix
Preface xi
Acknowledgments xii
About this book xiv
About the author xvii
About the cover illustration xviii
Part 1 Defining application security
1(96)
1 Why do we need application security?
3(26)
1.1 The role of an application security program
5(3)
Software from concept to production
6(1)
Where does application security fit?
7(1)
1.2 The current state of application security
8(1)
1.3 Why building security in is challenging
9(3)
Trying to protect at runtime
10(1)
Getting output from tools is not enough
11(1)
Sifting signal from noise in security tools
11(1)
1.4 Shifting right vs. shifting left in development
12(8)
Shifting right in the development life cycle
14(1)
Shifting right fails
15(1)
Shifting left in the development life cycle
16(3)
Shifting left fails
19(1)
1.5 Is going left better than going right?
20(2)
1.6 Application security needs you!
22(3)
Democratizing application security
23(1)
Users will be users
24(1)
1.7 Examples of failing to secure the software
25(4)
SolarWinds
25(1)
Accellion
26(1)
Fake software
27(2)
2 Defining the problem
29(35)
2.1 The CIA triad
30(1)
2.2 Confidentiality
30(11)
Data protection policy
31(1)
Data at rest
32(2)
Applying encryption
34(2)
Data in transit
36(3)
Encryption prior to transmission
39(1)
Data in use
39(1)
Not so confidential
40(1)
Do I even need this?
41(1)
2.3 Availability
41(5)
DoS and DDoS
42(1)
Accidental outage
43(1)
The role of ransomware
43(1)
Casino betting offline
44(1)
Health organizations are still fair game
44(1)
Building in resiliency
45(1)
2.4 Integrity
46(5)
Integrity starts with access
47(1)
The role of version control
48(1)
Data validation
49(1)
Data replication
49(1)
Data checks
50(1)
2.5 Authentication and authorization
51(1)
Authentication
51(1)
Authorization
51(1)
2.6 Adversaries
52(4)
Script kiddies
52(1)
Insider
53(1)
Cybercriminal
54(1)
Hacktivist and terrorist
54(1)
Advanced persistent threat
55(1)
Why do we care?
55(1)
2.7 Measuring risk
56(8)
Remediate, mitigate, accept
57(1)
Identify the risk
58(1)
Estimating likelihood
59(1)
Estimating impact
60(1)
Risk severity
60(1)
Risk example
61(1)
Other methodologies
62(2)
3 Components of application security
64(33)
3.1 Threat modeling
65(10)
Basic threat modeling terminology
66(2)
Manual threat modeling
68(1)
Starting the manual process
69(1)
Threat modeling with linking bank accounts
70(2)
What to do with the found threats
72(1)
Threat modeling using a tool
73(2)
3.2 Security analysis tools
75(9)
Static application security testing
77(1)
Tools in the development environment
78(2)
Dynamic application security testing
80(2)
Software composition analysis
82(2)
3.3 Penetration testing
84(2)
3.4 Run-time protection tools
86(2)
3.5 Vulnerability collection and prioritization
88(2)
Integrating with defect tracking
88(1)
Prioritizing vulnerabilities
89(1)
Closing vulnerabilities
90(1)
3.6 Bug bounty and vulnerability disclosure program
90(3)
Vulnerability disclosure program
91(1)
Bug bounty program
91(1)
Third-party help with vulnerabilities
92(1)
3.7 Putting it together
93(4)
Part 2 Developing the application security program
97(86)
4 Releasing secure code
99(28)
4.1 Security in DevOps
100(2)
DevOps pipelines
101(1)
4.2 DevOps isn't the only game in town
102(10)
Waterfall
102(2)
Agile
104(2)
Lean
106(2)
DevOps supports security better
108(2)
DevSecOps example
110(2)
4.3 Application security tooling in the pipeline
112(13)
Threat modeling in DevSecOps
112(2)
SAST in DevSecOps
114(1)
DAST and IAST in DevSecOps
115(4)
SCA in DevSecOps
119(1)
Run-time protection in DevSecOps
120(2)
Security orchestration
122(2)
Security education
124(1)
4.4 Feedback loop
125(2)
5 Security belongs to everyone
127(31)
5.1 Security is everyone's problem
128(4)
Structure of an application security team
129(1)
Just hire more application security people
130(2)
How to close the gap
132(1)
5.2 Security education
132(6)
Raising the security IQ
133(2)
Microlearning and just-in-time training
135(2)
It's more than just training
137(1)
5.3 Standards, requirements, and reference architecture
138(7)
Creating and driving standards
139(3)
Creating reference architecture
142(2)
Bringing requirements into the organization
144(1)
5.4 Maturity models
145(7)
Owasp Samm
146(3)
Building Security in Maturity Mode
149(3)
Addressing your security immaturity
152(1)
5.5 Decentralized application security
152(6)
Security champions program
153(2)
Leveraging the decentralized model
155(3)
6 Application security as a service
158(25)
6.1 Managing risk during development
159(9)
Defining and reducing risk
160(1)
Define the application risk
160(3)
Release-by-risk
163(5)
6.2 Enablement instead of gates
168(4)
Automate the release-by-risk
169(1)
Removing the barriers by adding guardrails
170(2)
6.3 Bridging engineering and security through services
172(11)
The application security-as-a-service ecosystem
173(3)
Services requested through tickets
176(3)
Ambient application security
179(4)
Part 3 Deliver and measure
183(80)
7 Building a roadmap
185(30)
7.1 Getting the current security posture
186(9)
Going on tour
186(2)
What tools exist?
188(3)
What vulnerabilities do you have?
191(2)
What additional information is available?
193(2)
7.2 Understanding the organization's security goals
195(2)
The organization's goals
195(1)
The application security goals
196(1)
Aligning the business and security goals
196(1)
7.3 Identifying the gaps
197(5)
Finding the immediate gaps
198(1)
Input into the gap analysis
199(2)
What to do with the gap analysis
201(1)
7.4 Sample application security roadmap
202(13)
Secure engineering education
203(2)
Educating the application security team
205(2)
Application security tools roadmap
207(2)
Aligning engineering and security roadmaps
209(1)
Building for the future
210(5)
8 Measuring success
215(25)
8.1 What to measure
216(8)
Measuring the effectiveness of your tools
217(1)
Tuning the tools based on feedback
217(3)
Measuring the effectiveness of your processes
220(1)
Measuring the mean time to remediate
221(1)
Optimizing the mean time to remediate
222(2)
8.2 Gathering effectiveness with KPIs
224(5)
Building the KPIs
224(2)
Setting KPI targets
226(1)
Driving change based on KPIs
227(2)
8.3 Getting feedback
229(3)
Getting feedback from conversations
230(1)
Getting feedback from surveys
230(2)
8.4 Security scorecard
232(8)
Preparing for the scorecard
233(2)
Weighting the scores for the scorecard
235(1)
Creating the scorecard
236(4)
9 Continuously improving the program
240(23)
9.1 Keeping ahead of the attacker
241(4)
Mitre Attack
242(2)
Cyber Kill Chain
244(1)
9.2 Threat catalogs
245(5)
Applying the OWASP Top Ten
246(3)
Applying the MITRE CWE Top 25
249(1)
9.3 Staying ahead of engineering
250(4)
Keeping up with the coding languages
251(1)
Keeping up with the technology changes
251(2)
When hiring and training aren't enough
253(1)
9.4 Stop chasing the shiny new tool
254(4)
Use a capability matrix
255(1)
Managing the tool and vendor
256(1)
Buy the shiny new tool
257(1)
9.5 Preparing for the worst
258(5)
Appendix Answers to exercises 263(6)
Index 269
Derek Fisher  has been working in application security for over a decade, where he has seen both security successes and failures first hand.