97 Things Every Application Security Professional Should Know

97 Things Every Application Security Professional Should Know

by Reet Kaur, Yabing Wang
Released June 2024
Publisher(s): O'Reilly Media, Inc.
ISBN: 9781098169459

Read it now on the O’Reilly learning platform with a 10-day free trial.

O’Reilly members get unlimited access to books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Book description

In this fast-advancing technology world, almost everything is written as software or application. Together with the fast-evolving threat landscape, protecting customer data and ensuring the resilience of your business becomes the critical objective of all cybersecurity professionals. Weak application defenses can lead to serious consequences like regulatory fines, penalties, and loss of customer trust—especially for industries that handle sensitive or financial data. That's why it's imperative for security professionals to reinforce themselves with the latest insights to combat growing cyber threats.

In this go-to guide, editors Reet Kaur and Yabing Wang share key concepts, up-to-date best practices, and cutting-edge tools that today's cyber professionals need to ensure solid application security. The articles in this book include actionable advice on a wide variety of application security topics and thought-provoking questions that drive the direction of the field. You'll also receive expert advice from professionals on how to navigate your career within this industry.

Articles include:

  • AppSec Is a People Problem—Not a Technical One — Mark S. Merkow
  • A Coordinated Approach to a Successful DevSecOps Program — Han Lievens
  • Will Passwordless Authentication Save Your Application? — Aldo Salas
  • Introduction to CI/CD Pipelines and Associated Risks — Tyler Young
  • Unveiling Paths to Account Takeover: Web Cache to XSS Exploitation — Lütfü Mert Ceylan
  • Secure the Software Supply Chain Through Transparency — Niels Tanis
  • The Right Way to Threat Model — Josh Brown
  • Enhanced Application Security Defense — Michael Freeman
  • Mobile Security Domain and Best Practices — Aruneesh Salhotra
  • API Security Primer — Chenxi Wang
  • Will Generative and LLM Solve a 20-Year-Old Problem in Application Security? — Neatsun Ziv
  • Application Security in Cyber-Physical Systems — Yaniv Vardi

Publisher resources

View/Submit Errata

Table of contents

  1. Preface
    1. O’Reilly Online Learning
    2. How to Contact Us
    3. Acknowledgments
  2. I. Program & Practice
  3. 1. Secure Code for Tomorrow’s Technology
    1. Alyssa Columbus
  4. 2. Pragmatic Advice for Building an Application Security Program
    1. Andres Andreu
  5. 3. AppSec Must Lead
    1. Brook S.E. Schoenfield
  6. 4. Solving Problems for Application Security
    1. Caroline Wong
  7. 5. Securing Your Enterprise Applications
    1. Chadi Saliby
  8. 6. Developers as Partners in Application Security Strategy
    1. Christian Ghigliotty
  9. 7. Be an Awesome Sidekick
    1. Daniel Ting
      1. It’s About Them, Not You.
      2. Balanced Priorities (and Constraints)
      3. Easier Is Easier
  10. 8. Understanding the True Boundaries of Modern Applications
    1. Erkang Zheng
      1. Components
      2. Infrastructure
      3. Ownership
      4. The Foundation of Modern Cybersecurity
  11. 9. Common Best Practices in Application Security
    1. Laxmidhar V. Gaopande
      1. Code Scanning and Reviews
      2. Leverage AI for Better Detection and Automation
      3. Build a Bug Bounty Program
  12. 10. AppSec Is a People Problem—Not a Technical One
    1. Mark S. Merkow
  13. 11. Empowering Application Security Professionals Through Cybersecurity Education
    1. Michael Bray
  14. 12. Why You Need a Practical Security Champions Program
    1. Michael Xin and Sandeep Kumar Singh
  15. 13. The Human Firewall: Combat Enemies by Improving Your Security-Oriented Culture
    1. Periklis Gkolias
      1. Recognizing External Threats
      2. Recognizing Insider Threats
      3. Empowering Employees Through Education
      4. Promoting Open Communication
      5. Engaging Leadership
      6. Conducting Regular Security Drills
      7. Rewarding and Recognizing Secure Behavior
  16. 14. Shifting Everywhere in Application Security
    1. Sounil Yu
      1. The Changing Landscape of Application Security
      2. The Traditional Shift Left Paradigm
      3. The Role of Infrastructure and Automation
      4. Re-envisioning Application Security
  17. 15. Beyond Barriers: Navigating the Path to a Successful AppSec Program
    1. Yabing Wang
      1. What Are the Core Components of the AppSec Program?
      2. What Are the Success Factors of the AppSec Program?
  18. II. Secure SDLC
  19. 16. Building an Application Security Preparation Mindset
    1. Andrew King
      1. Mindset: How Can You Prepare?
      2. Logging and Monitoring: Do You See What Happened?
      3. Scope: Can You Do It All?
      4. Best Practices: Can You Borrow from Others’ Experience?
  20. 17. How to Assess Security Mindset in Application Design
    1. Anuj Parekh
  21. 18. Getting Your Application Ready for the Enterprise
    1. Ayman Elsawah
      1. Enterprise Single Sign-On
  22. 19. Reductio Ad Applicationem Securitatis
    1. Darryle Merlette
      1. Read
      2. Write
      3. Change
  23. 20. Automating the Risk Calculation of Modern Applications
    1. Erkang Zheng
      1. Design and Business Context
      2. Technology Implementation and Operations
      3. Maturity of Team and Process
  24. 21. A Coordinated Approach to a Successful DevSecOps Program
    1. Han Lievens
  25. 22. What Makes Someone a Developer?
    1. Helen Umberger
  26. 23. Total AppSec
    1. Hussain Syed
  27. 24. You’re More Than Your Job
    1. Izar Tarandach
  28. 25. TAP Into the Potential of a Great SSDLC Program with Automation
    1. Jyothi Charyulu
      1. Think
      2. Act
      3. Persevere
  29. 26. Vulnerability Researcher to Software Developer: The Other Side of the Coin
    1. Larry W. Cashdollar
  30. 27. Strategies for Adding Security Rituals to an Existing SDLC
    1. Laura Bell Main
      1. You Can’t Change What You Don’t Understand
      2. Start with Experiments, Not Solutions
      3. Create a Rollout Plan with the Engineering Team
      4. Collaboration Is the Key
  31. 28. Challenges and Considerations for Securing Serverless Applications
    1. Manasés Jesús
  32. 29. Using Offensive Security to Defend Your Application
    1. Nathaniel Shere
      1. Helpful Response Messages
      2. API Endpoints
      3. Administrative Features
  33. 30. Beyond “No”: The Modern Paradigm of Developer-Centric Application Security
    1. Nielet D’mello
  34. 31. Security Paved Roads
    1. Nielet D’mello
      1. What Are Security Paved Roads?
      2. How to Decide What Security Paved Roads Are Needed?
      3. Adoption and Effectiveness
      4. Product-Centric Approach and Feedback Loops
      5. Conclusion
  35. 32. AppSec in the Cloud Era
    1. Sandeep Kumar Singh
      1. Learn Shared Responsibility Model
      2. Secure Configurations
      3. Continuous Logging and Monitoring
      4. Data Protection in Multitenant Environments
      5. Adopt Cloud Security Services
      6. Conclusion
  36. 33. Code Provenance for DevSecOps
    1. Yashvier Kosaraju
  37. III. Data Security & Privacy
  38. 34. Will Passwordless Authentication Save Your Application?
    1. Aldo Salas
      1. Passwordless and WebAuthn
      2. Passwordless Pros and Cons
      3. Passwordless Vulnerabilities
      4. Other Recommendations
  39. 35. Securing Your Databases: The Importance of Proper Access Controls and Audits
    1. Dave Stokes
  40. 36. DataSecOps: Security in Data Products
    1. Diogo Miyake
  41. 37. Data Security Code and Tests
    1. Diogo Miyake
  42. 38. Data Security Starts with Good Governance
    1. Lauren Maffeo
  43. 39. Protect Sensitive Data in Modern Applications
    1. Louisa Wang
      1. Learn Key Management
      2. Security Needs During the Data Life Cycle Vary
      3. Design and Implement a Combination of Technical and Administrative Controls
      4. Insights and Security Recommendations
  44. 40. Leverage Data-Flow Analysis in Your Security Practices
    1. Manuel Walder
  45. 41. Embracing a Practical Privacy Paradigm Shift in App Development
    1. Maria Nichole Schwenger
      1. The Paradox of Privacy and Innovation in Data Security
      2. Reconceptualizing Data Ownership
      3. Leveraging Privacy-Enhancing Technologies
      4. Transparency and Informed Consent
      5. Data Minimization and Purpose Limitation
      6. Exploring Decentralized Data Storage
      7. Data Privacy as a Competitive Advantage
      8. In a Nutshell
  46. 42. Quantum-Safe Encryption Algorithms
    1. Rakesh Kulkarni
  47. 43. Application Integration Security
    1. Sausan Yazji
  48. IV. Code Scanning & Testing
  49. 44. Modern Approach to Software Composition Analysis: Call Graph and Runtime SCA
    1. Aruneesh Salhotra
      1. Traditional Approach to SCA
      2. Modern Approach to Manage Open Source Risks
      3. Runtime SCA
      4. Summary
  50. 45. Application Security Testing
    1. David Lindner
      1. Static Application Security Testing
      2. Dynamic Application Security Testing
      3. Interactive Application Security Testing
  51. 46. WAF and RASP
    1. David Lindner
      1. Web Application Firewalls
      2. Runtime Application Self-Protection
  52. 47. Zero Trust Software Architecture
    1. Jacqueline Pitter
  53. 48. Rethinking Ethics in Application Security: Toward a Sustainable Digital Future
    1. Pragat Patel
  54. 49. Modern WAF Deployment and Management Paradigms
    1. Raj Badhwar
      1. On Premises WAF Infrastructure for Hybrid Cloud
      2. Cloud Native WAF Infrastructure for the Public Cloud
      3. Managed WAF Services
  55. 50. Do You Need Manual Penetration Testing?
    1. Shawn Evans
  56. 51. Bash Your Head
    1. Shawn Evans
  57. 52. Exploring Application Security Through Static Analysis
    1. Tanya Janca
  58. 53. Introduction to CI/CD Pipelines and Associated Risks
    1. Tyler Young
  59. V. Vulnerability Management
  60. 54. Demystifying Bug Bounty Programs
    1. Aldo Salas
      1. Preparing the Test Environment
      2. Testing in Production
      3. Recommendations
  61. 55. EPSS: A Modern Approach to Vulnerability Management
    1. Aruneesh Salhotra
      1. Traditional Approaches Are Dated
      2. The World of EPSS
      3. Key Aspects of EPSS
  62. 56. Navigating the Waters of Vulnerability Management
    1. Luis Arzu
      1. Understanding the Dynamic Landscape
      2. Prioritization: The Art of Decision Making
      3. Building Collaborative Relationships
      4. Leveraging Robust Vulnerability Management Solutions
      5. Conclusion
  63. 57. Safeguarding the Digital Nexus: “Top 25 Parameters to Vulnerability Frequency”
    1. Lütfü Mert Ceylan
      1. Exploring Vulnerability Categories: A Profound Expedition to Parameter Frequencies
      2. Empowering with Knowledge: The Path Forward
  64. 58. Unveiling Paths to Account Takeover: Web Cache to XSS Exploitation
    1. Lütfü Mert Ceylan
      1. Discovery of Vulnerability
      2. But What Is Reflected XSS Vulnerability?
      3. Amplification Through Web Cache Exploitation
      4. The Genesis of Account Takeover
      5. Exploiting the Dynamics of Web Cache Poisoning
      6. Mitigation and Beyond
  65. 59. Sometimes the Smallest Risks Can Cause the Greatest Destruction
    1. Lütfü Mert Ceylan
  66. 60. Effective Vulnerability Remediation Using EPSS
    1. Reet Kaur
  67. 61. Bug Bounty—Shift Everywhere
    1. Sean Poris
  68. VI. Software Supply Chain
  69. 62. Integrating Security into Open Source Dependencies
    1. Alyssa Columbus
      1. Selecting Secure Open Source Libraries
      2. Auditing and Hardening Open Source Dependencies
      3. Staying Current with Vulnerability Management
      4. Making Open Source Security a Priority
  70. 63. Supplier Relationship Management to Reduce Software Supply Chain Security Risk
    1. Cassie Crossley
  71. 64. Fortifying Open Source AI/ML Libraries: Garden of Security in Software Supply Chain
    1. Chloé Messdaghi
      1. Dependency Scanning
      2. CI/CD for AI and ML
      3. Software Bill of Materials
      4. Auditing and Verification
      5. Community Collaboration
  72. 65. SBOM: Transparent, Sustainable Compliance
    1. Karen Walsh
      1. Building Transparency
      2. Designing Sustainably
      3. Developing Compliantly
      4. The Future of Secure, Compliant Application Ecosystem
  73. 66. Secure the Software Supply Chain Through Transparency
    1. Niels Tanis
  74. 67. Unlock the Secrets to Open Source Software Security
    1. Travis Felder
      1. Invisible Open Source Software
      2. Establishing an OSS Program
      3. Open Source Software Security Pro Tips
      4. Common Open Source Software Security Mistakes to Avoid
  75. 68. Leverage SBOMs to Enhance Your SSDLC
    1. Viraj Gandhi
  76. VII. Threat Modeling
  77. 69. Learn to Threat Model
    1. Adam Shostack, Matthew Coles, and Izar Tarandach
  78. 70. Understanding OWASP Insecure Design and Unmasking Toxic Combinations
    1. Idan Plotnik
      1. Understand the Implications of Insecure Design
      2. Unmask the “Toxic Combinations” in Application Security
  79. 71. The Right Way to Threat Model
    1. Josh Brown
  80. 72. Attack Models in SSDLC
    1. Vinay Venkatesh
  81. VIII. Threat Intelligence & Incident Response
  82. 73. In Denial of Your Services
    1. Allen West
  83. 74. Sifting for Botnets
    1. Allen West
  84. 75. Incident Response for Credential Stuffing Attacks
    1. Fayyaz Rajpari
  85. 76. Advanced Threat Intelligence Capabilities for Enhanced Application Security Defense
    1. Michael Freeman
  86. IX. Mobile Security
  87. 77. Mobile Security: Domain and Best Practices
    1. Aruneesh Salhotra
      1. Fundamentals
      2. Supercharging Your CI/CD Pipeline with Security
      3. Navigating Privacy Concerns in Mobile Application Development
  88. 78. Mobile Application Security Using Containerization
    1. Reet Kaur
  89. X. API Security
  90. 79. API Security: JWE Encryption for Native Data Protection
    1. Andres Andreu
  91. 80. APIs Are Windows to the Soul
    1. Brook S.E. Schoenfield
      1. Risks
      2. Defenses
      3. Access Management
      4. Input Validation
  92. 81. API Security: The Bedrock of Modern Applications
    1. Charan Akiri
  93. 82. API Security Primer: Visibility
    1. Chenxi Wang
      1. Visibility and Inventory
  94. 83. API Security Primer: Risk Assessment, Monitoring, and Detection
    1. Chenxi Wang
  95. 84. API Security Primer: Control and Management
    1. Chenxi Wang
  96. XI. AI Security & Automation
  97. 85. LLMs Revolutionizing Application Security: Unleashing the Power of AI
    1. Alexander James Wold
      1. LLMs and Static Application Security Testing
      2. LLMs and Predictive Threat Hunting
      3. Unique Advancement: LLMs and Intelligent Security Patching
      4. Challenges and Considerations
      5. Conclusion
  98. 86. Mitigating Bias and Unfairness in AI-Based Applications
    1. Angelica Lo Duca
      1. Collaborate with Domain Experts
      2. Improve Data Quality
      3. Perform User Testing
  99. 87. Secure Development with Generative AI
    1. Heather Hinton
  100. 88. Managing the Risks of ChatGPT Integration
    1. Josh Brown
  101. 89. Automation, Automation, and Automation for AppSec
    1. Michael Xin
  102. 90. Will Generative and LLM Solve a 20-Year-Old Problem in Application Security?
    1. Neatsun Ziv
  103. 91. Understand the Risks of Using AI in Application Development
    1. Yasir Ali
      1. Main Risk Categories and Recent Incidents
      2. Major Threat Vectors from LLM
      3. Key Risks in the SDLC
      4. Legal Concerns
      5. LLM Concerns and Software Supply Chain Impact
      6. Increased Supply Chain Risks
      7. Remediative Controls
  104. XII. IoT & Embedded System Security
  105. 92. Secure Code for Embedded Systems
    1. Jason Sinchak
      1. Coding
      2. Third-Party Code
  106. 93. Platform Security for Embedded Systems
    1. Jason Sinchak
      1. Maintaining Data Security
      2. Secure Firmware Updates
      3. Attack Surface Reduction
      4. Secure Communications
  107. 94. Application Identity for Embedded Systems
    1. Jason Sinchak
  108. 95. Top Five Hacking Methods for IoT Devices
    1. Manasés Jesús
      1. The Trojan Horse
      2. The Man-in-the-Middle
      3. The Zero-Day Exploit
      4. The Brute Force Attack
      5. The Denial-of-Service (DoS) Attack
  109. 96. Securing IoT Applications
    1. Manasés Jesús
  110. 97. Application Security in Cyber–Physical Systems
    1. Yaniv Vardi
  111. About the Editors
    1. Reet Kaur
    2. Yabing Wang
  112. Contributors
    1. Adam Shostack
    2. Aldo Salas
    3. Alexander James Wold
    4. Allen West
    5. Alyssa Columbus
    6. Andres Andreu
    7. Andrew King
    8. Angelica Lo Duca
    9. Anuj Parekh
    10. Aruneesh Salhotra
    11. Ayman Elsawah
    12. Brook S.E. Schoenfield
    13. Caroline Wong
    14. Cassie Crossley
    15. Chadi Saliby
    16. Charan Akiri
    17. Chenxi Wang
    18. Chloé Messdaghi
    19. Christian Ghigliotty
    20. Daniel Ting
    21. Darryle Merlette
    22. David Lindner
    23. David Stokes
    24. Diogo Miyake
    25. Erkang Zheng
    26. Fayyaz Rajpari
    27. Han Lievens
    28. Heather Hinton
    29. Helen Umberger
    30. Hussain Syed
    31. Idan Plotnik
    32. Izar Tarandach
    33. Jacqueline Pitter
    34. Jason Sinchak
    35. Josh Brown
    36. Jyothi Charyulu
    37. Karen Walsh
    38. Larry W. Cashdollar
    39. Laura Bell Main
    40. Lauren Maffeo
    41. Laxmidhar V. Gaopande
    42. Louisa Wang
    43. Luis Arzu
    44. Lütfü Mert Ceylan
    45. Manasés Jesús
    46. Manuel Walder
    47. Maria Nichole Schwenger
    48. Mark S. Merkow
    49. Matthew Coles
    50. Michael Bray
    51. Michael Freeman
    52. Michael Xin
    53. Nathaniel Shere
    54. Neatsun Ziv
    55. Nielet D’mello
    56. Niels Tanis
    57. Periklis Gkolias
    58. Pragat Patel
    59. Raj Badhwar
    60. Rakesh Kulkarni
    61. Sandeep Kumar Singh
    62. Sausan Yazji
    63. Sean Poris
    64. Shawn Evans
    65. Sounil Yu
    66. Tanya Janca
    67. Travis Felder
    68. Tyler Young
    69. Vinay Venkatesh
    70. Viraj Gandhi
    71. Yaniv Vardi
    72. Yashvier Kosaraju
    73. Yasir Ali

Product information

  • Title: 97 Things Every Application Security Professional Should Know
  • Author(s): Reet Kaur, Yabing Wang
  • Release date: June 2024
  • Publisher(s): O'Reilly Media, Inc.
  • ISBN: 9781098169459