Alice and Bob Learn Application Security

Alice and Bob Learn Application Security

by Tanya Janca
Released November 2020
Publisher(s): Wiley
ISBN: 9781119687351

Read it now on the O’Reilly learning platform with a 10-day free trial.

O’Reilly members get unlimited access to books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Book description

Learn application security from the very start, with this comprehensive and approachable guide! 

Alice and Bob Learn Application Security is an accessible and thorough resource for anyone seeking to incorporate, from the beginning of the System Development Life Cycle, best security practices in software development. This book covers all the basic subjects such as threat modeling and security testing, but also dives deep into more complex and advanced topics for securing modern software systems and architectures. Throughout, the book offers analogies, stories of the characters Alice and Bob, real-life examples, technical explanations and diagrams to ensure maximum clarity of the many abstract and complicated subjects. 

Topics include:

  • Secure requirements, design, coding, and deployment
  • Security Testing (all forms)
  • Common Pitfalls
  • Application Security Programs
  • Securing Modern Applications
  • Software Developer Security Hygiene  

Alice and Bob Learn Application Security is perfect for aspiring application security engineers and practicing software developers, as well as software project managers, penetration testers, and chief information security officers who seek to build or improve their application security programs. 

Alice and Bob Learn Application Security illustrates all the included concepts with easy-to-understand examples and concrete practical applications, furthering the reader’s ability to grasp and retain the foundational and advanced topics contained within. 

Table of contents

  1. Cover
  2. Foreword
  3. Introduction
    1. Pushing Left
    2. About This Book
    3. Out-of-Scope Topics
    4. The Answer Key
  4. Part I: What You Must Know to Write Code Safe Enough to Put on the Internet
    1. CHAPTER 1: Security Fundamentals
      1. The Security Mandate: CIA
      2. Assume Breach
      3. Insider Threats
      4. Defense in Depth
      5. Least Privilege
      6. Supply Chain Security
      7. Security by Obscurity
      8. Attack Surface Reduction
      9. Hard Coding
      10. Never Trust, Always Verify
      11. Usable Security
      12. Factors of Authentication
      13. Exercises
    2. CHAPTER 2: Security Requirements
      1. Requirements
      2. Requirements Checklist
      3. Exercises
    3. CHAPTER 3: Secure Design
      1. Design Flaw vs. Security Bug
      2. Secure Design Concepts
      3. Segregation of Production Data
      4. Threat Modeling
      5. Exercises
    4. CHAPTER 4: Secure Code
      1. Selecting Your Framework and Programming Language
      2. Untrusted Data
      3. HTTP Verbs
      4. Identity
      5. Session Management
      6. Bounds Checking
      7. Authentication (AuthN)
      8. Authorization (AuthZ)
      9. Error Handling, Logging, and Monitoring
      10. Exercises
    5. CHAPTER 5: Common Pitfalls
      1. OWASP
      2. Defenses and Vulnerabilities Not Previously Covered
      3. Race Conditions
      4. Closing Comments
      5. Exercises
  5. Part II: What You Should Do to Create Very Good Code
    1. CHAPTER 6: Testing and Deployment
      1. Testing Your Code
      2. Testing Your Application
      3. Testing Your Infrastructure
      4. Testing Your Database
      5. Testing Your APIs and Web Services
      6. Testing Your Integrations
      7. Testing Your Network
      8. Deployment
      9. Exercises
    2. CHAPTER 7: An AppSec Program
      1. Application Security Program Goals
      2. Application Security Activities
      3. Application Security Tools
    3. CHAPTER 8: Securing Modern Applications and Systems
      1. APIs and Microservices
      2. Online Storage
      3. Containers and Orchestration
      4. Serverless
      5. Infrastructure as Code (IaC)
      6. Security as Code (SaC)
      7. Platform as a Service (PaaS)
      8. Infrastructure as a Service (IaaS)
      9. Continuous Integration/Delivery/Deployment
      10. Dev(Sec)Ops
      11. The Cloud
      12. Cloud Workflows
      13. Modern Tooling
      14. Modern Tactics
      15. Summary
      16. Exercises
  6. Part III: Helpful Information on How to Continue to Create Very Good Code
    1. CHAPTER 9: Good Habits
      1. Password Management
      2. Multi-Factor Authentication
      3. Incident Response
      4. Fire Drills
      5. Continuous Scanning
      6. Technical Debt
      7. Inventory
      8. Other Good Habits
      9. Summary
      10. Exercises
    2. CHAPTER 10: Continuous Learning
      1. What to Learn
      2. Take Action
      3. Exercises
      4. Learning Plan
    3. CHAPTER 11: Closing Thoughts
      1. Lingering Questions
      2. Conclusion
  7. APPENDIX A: Resources
    1. Introduction
    2. Chapter 1: Security Fundamentals
    3. Chapter 2: Security Requirements
    4. Chapter 3: Secure Design
    5. Chapter 4: Secure Code
    6. Chapter 5: Common Pitfalls
    7. Chapter 6: Testing and Deployment
    8. Chapter 7: An AppSec Program
    9. Chapter 8: Securing Modern Applications and Systems
    10. Chapter 9: Good Habits
    11. Chapter 10: Continuous Learning
  8. APPENDIX B: Answer Key
    1. Chapter 1: Security Fundamentals
    2. Chapter 2: Security Requirements
    3. Chapter 3: Secure Design
    4. Chapter 4: Secure Code
    5. Chapter 5: Common Pitfalls
    6. Chapter 6: Testing and Deployment
    7. Chapter 7: An AppSec Program
    8. Chapter 8: Securing Modern Applications and Systems
    9. Chapter 9: Good Habits
    10. Chapter 10: Continuous Learning
  9. Index
  10. End User License Agreement

Product information

  • Title: Alice and Bob Learn Application Security
  • Author(s): Tanya Janca
  • Release date: November 2020
  • Publisher(s): Wiley
  • ISBN: 9781119687351