Application Security Program Handbook

Application Security Program Handbook

by Derek Fisher
Released January 2023
Publisher(s): Manning Publications
ISBN: 9781633439818

Read it now on the O’Reilly learning platform with a 10-day free trial.

O’Reilly members get unlimited access to books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Book description

Stop dangerous threats and secure your vulnerabilities without slowing down delivery. This practical book is a one-stop guide to implementing a robust application security program.

In the Application Security Program Handbook you will learn:

  • Why application security is so important to modern software
  • Application security tools you can use throughout the development lifecycle
  • Creating threat models
  • Rating discovered risks
  • Gap analysis on security tools
  • Mitigating web application vulnerabilities
  • Creating a DevSecOps pipeline
  • Application security as a service model
  • Reporting structures that highlight the value of application security
  • Creating a software security ecosystem that benefits development
  • Setting up your program for continuous improvement

The Application Security Program Handbook teaches you to implement a robust program of security throughout your development process. It goes well beyond the basics, detailing flexible security fundamentals that can adapt and evolve to new and emerging threats. Its service-oriented approach is perfectly suited to the fast pace of modern development. Your team will quickly switch from viewing security as a chore to an essential part of their daily work. Follow the expert advice in this guide and you’ll reliably deliver software that is free from security defects and critical vulnerabilities.

About the Technology
Application security is much more than a protective layer bolted onto your code. Real security requires coordinating practices, people, tools, technology, and processes throughout the life cycle of a software product. This book provides a reproducible, step-by-step road map to building a successful application security program.

About the Book
The Application Security Program Handbook delivers effective guidance on establishing and maturing a comprehensive software security plan. In it, you’ll master techniques for assessing your current application security, determining whether vendor tools are delivering what you need, and modeling risks and threats. As you go, you’ll learn both how to secure a software application end to end and also how to build a rock-solid process to keep it safe.

What's Inside
  • Application security tools for the whole development life cycle
  • Finding and fixing web application vulnerabilities
  • Creating a DevSecOps pipeline
  • Setting up your security program for continuous improvement


About the Reader
For software developers, architects, team leaders, and project managers.

About the Author
Derek Fisher has been working in application security for over a decade, where he has seen numerous security successes and failures firsthand.

Quotes
This is a foundational book for application security principles, definitions, and concepts.
- From the Foreword by Matt Rose, Chief Architect, Bionic; Former Leader at Checkmarx and Fortify

Provides the groundwork for anyone looking to start building an application security program.
- James Jardine, DevelopSec

Well-written and detailed resource for understanding and implementing application security.
- James Woodruff, Deloitte

Amazing primer on all things security, from tooling and pipeline development to setting up a security program. Essential.
- Jeremy Bryan, Anchore

Table of contents

  1. inside front cover
  2. Application Security Program Handbook
  3. Copyright
  4. brief contents
  5. contents
  6. front matter
    1. foreword
    2. preface
    3. acknowledgments
    4. about this book
      1. Who should read this book
      2. How this book is organized: A road map
      3. Defining application security
      4. Developing the application security program
      5. Deliver and measure
      6. liveBook discussion forum
    5. about the author
    6. about the cover illustration
  7. Part 1. Defining application security
  8. 1 Why we need application security
    1. 1.1 The role of an application security program
      1. 1.1.1 Software from concept to production
      2. 1.1.2 Where does application security fit?
    2. 1.2 The current state of application security
    3. 1.3 Why building security in is challenging
      1. 1.3.1 Trying to protect at runtime
      2. 1.3.2 Getting output from tools is not enough
      3. 1.3.3 Sifting signal from noise in security tools
    4. 1.4 Shifting right vs. shifting left in development
      1. 1.4.1 Shifting right in the development life cycle
      2. 1.4.2 Shifting right fails
      3. 1.4.3 Shifting left in the development life cycle
      4. 1.4.4 Shifting left fails
    5. 1.5 Is going left better than going right?
    6. 1.6 Application security needs you!
      1. 1.6.1 Democratizing application security
      2. 1.6.2 Users will be users
    7. 1.7 Examples of failing to secure the software
      1. 1.7.1 SolarWinds
      2. 1.7.2 Accellion
      3. 1.7.3 Fake software
    8. Summary
  9. 2 Defining the problem
    1. 2.1 The CIA triad
    2. 2.2 Confidentiality
      1. 2.2.1 Data protection policy
      2. 2.2.2 Data at rest
      3. 2.2.3 Applying encryption
      4. 2.2.4 Data in transit
      5. 2.2.5 Encryption prior to transmission
      6. 2.2.6 Data in use
      7. 2.2.7 Not so confidential
      8. 2.2.8 Do I even need this?
    3. 2.3 Availability
      1. 2.3.1 DoS and DDoS
      2. 2.3.2 Accidental outage
      3. 2.3.3 The role of ransomware
      4. 2.3.4 Casino betting offline
      5. 2.3.5 Health organizations are still fair game
      6. 2.3.6 Building in resiliency
    4. 2.4 Integrity
      1. 2.4.1 Integrity starts with access
      2. 2.4.2 The role of version control
      3. 2.4.3 Data validation
      4. 2.4.4 Data replication
      5. 2.4.5 Data checks
    5. 2.5 Authentication and authorization
      1. 2.5.1 Authentication
      2. 2.5.2 Authorization
    6. 2.6 Adversaries
      1. 2.6.1 Script kiddies
      2. 2.6.2 Insider
      3. 2.6.3 Cybercriminal
      4. 2.6.4 Hacktivist and terrorist
      5. 2.6.5 Advanced persistent threat
      6. 2.6.6 Why do we care?
    7. 2.7 Measuring risk
      1. 2.7.1 Remediate, mitigate, accept
      2. 2.7.2 Identify the risk
      3. 2.7.3 Estimating likelihood
      4. 2.7.4 Estimating impact
      5. 2.7.5 Risk severity
      6. 2.7.6 Risk example
      7. 2.7.7 Other methodologies
    8. Summary
  10. 3 Components of application security
    1. 3.1 Threat modeling
      1. 3.1.1 Basic threat modeling terminology
      2. 3.1.2 Manual threat modeling
      3. 3.1.3 Starting the manual process
      4. 3.1.4 Threat modeling with linking bank accounts
      5. 3.1.5 What to do with the found threats
      6. 3.1.6 Threat modeling using a tool
    2. 3.2 Security analysis tools
      1. 3.2.1 Static application security testing
      2. 3.2.2 Tools in the development environment
      3. 3.2.3 Dynamic application security testing
      4. 3.2.4 Software composition analysis
    3. 3.3 Penetration testing
    4. 3.4 Run-time protection tools
    5. 3.5 Vulnerability collection and prioritization
      1. 3.5.1 Integrating with defect tracking
      2. 3.5.2 Prioritizing vulnerabilities
      3. 3.5.3 Closing vulnerabilities
    6. 3.6 Bug bounty and vulnerability disclosure program
      1. 3.6.1 Vulnerability disclosure program
      2. 3.6.2 Bug bounty program
      3. 3.6.3 Third-party help with vulnerabilities
    7. 3.7 Putting it together
    8. Summary
  11. Part 2. Developing the application security program
  12. 4 Releasing secure code
    1. 4.1 Security in DevOps
      1. 4.1.1 DevOps pipelines
    2. 4.2 DevOps isn’t the only game in town
      1. 4.2.1 Waterfall
      2. 4.2.2 Agile
      3. 4.2.3 Lean
      4. 4.2.4 DevOps supports security better
      5. 4.2.5 DevSecOps example
    3. 4.3 Application security tooling in the pipeline
      1. 4.3.1 Threat modeling in DevSecOps
      2. 4.3.2 SAST in DevSecOps
      3. 4.3.3 DAST and IAST in DevSecOps
      4. 4.3.4 SCA in DevSecOps
      5. 4.3.5 Run-time protection in DevSecOps
      6. 4.3.6 Security orchestration
      7. 4.3.7 Security education
    4. 4.4 Feedback loop
    5. Summary
  13. 5 Security belongs to ever yone
    1. 5.1 Security is everyone’s problem
      1. 5.1.1 Structure of an application security team
      2. 5.1.2 Just hire more application security people
      3. 5.1.3 How to close the gap
    2. 5.2 Security education
      1. 5.2.1 Raising the security IQ
      2. 5.2.2 Microlearning and just-in-time training
      3. 5.2.3 It’s more than just training
    3. 5.3 Standards, requirements, and reference architecture
      1. 5.3.1 Creating and driving standards
      2. 5.3.2 Creating reference architecture
      3. 5.3.3 Bringing requirements into the organization
    4. 5.4 Maturity models
      1. 5.4.1 OWASP SAMM
      2. 5.4.2 Building Security in Maturity Model
      3. 5.4.3 Addressing your security immaturity
    5. 5.5 Decentralized application security
      1. 5.5.1 Security champions program
      2. 5.5.2 Leveraging the decentralized model
    6. Summary
  14. 6 Application security as a service
    1. 6.1 Managing risk during development
      1. 6.1.1 Defining and reducing risk
      2. 6.1.2 Define the application risk
      3. 6.1.3 Release-by-risk
    2. 6.2 Enablement instead of gates
      1. 6.2.1 Automate the release-by-risk
      2. 6.2.2 Removing the barriers by adding guardrails
    3. 6.3 Bridging engineering and security through services
      1. 6.3.1 The application security-as-a-service ecosystem
      2. 6.3.2 Services requested through tickets
      3. 6.3.3 Ambient application security
    4. Summary
  15. Part 3. Deliver and measure
  16. 7 Building a roadmap
    1. 7.1 Getting the current security posture
      1. 7.1.1 Going on tour
      2. 7.1.2 What tools exist?
      3. 7.1.3 What vulnerabilities do you have?
      4. 7.1.4 What additional information is available?
    2. 7.2 Understanding the organization’s security goals
      1. 7.2.1 The organization’s goals
      2. 7.2.2 The application security goals
      3. 7.2.3 Aligning the business and security goals
    3. 7.3 Identifying the gaps
      1. 7.3.1 Finding the immediate gaps
      2. 7.3.2 Input into the gap analysis
      3. 7.3.3 What to do with the gap analysis
    4. 7.4 Sample application security roadmap
      1. 7.4.1 Secure engineering education
      2. 7.4.2 Educating the application security team
      3. 7.4.3 Application security tools roadmap
      4. 7.4.4 Aligning engineering and security roadmaps
      5. 7.4.5 Building for the future
    5. Summary
  17. 8 Measuring success
    1. 8.1 What to measure
      1. 8.1.1 Measuring the effectiveness of your tools
      2. 8.1.2 Tuning the tools based on feedback
      3. 8.1.3 Measuring the effectiveness of your processes
      4. 8.1.4 Measuring the mean time to remediate
      5. 8.1.5 Optimizing the mean time to remediate
    2. 8.2 Gathering effectiveness with KPIs
      1. 8.2.1 Building the KPIs
      2. 8.2.2 Setting KPI targets
      3. 8.2.3 Driving change based on KPIs
    3. 8.3 Getting feedback
      1. 8.3.1 Getting feedback from conversations
      2. 8.3.2 Getting feedback from surveys
    4. 8.4 Security scorecard
      1. 8.4.1 Preparing for the scorecard
      2. 8.4.2 Weighting the scores for the scorecard
      3. 8.4.3 Creating the scorecard
    5. Summary
  18. 9 Continuously improving the program
    1. 9.1 Keeping ahead of the attacker
      1. 9.1.1 MITRE ATT&CK
      2. 9.1.2 Cyber Kill Chain
    2. 9.2 Threat catalogs
      1. 9.2.1 Applying the OWASP Top Ten
      2. 9.2.2 Applying the MITRE CWE Top 25
    3. 9.3 Staying ahead of engineering
      1. 9.3.1 Keeping up with the coding languages
      2. 9.3.2 Keeping up with the technology changes
      3. 9.3.3 When hiring and training aren’t enough
    4. 9.4 Stop chasing the shiny new tool
      1. 9.4.1 Use a capability matrix
      2. 9.4.2 Managing the tool and vendor
      3. 9.4.3 Buy the shiny new tool
    5. 9.5 Preparing for the worst
    6. Summary
  19. Appendix. Answers to exercises
    1. Chapter 1
      1. EXERCISE 1.1
      2. EXERCISE 1.2
      3. EXERCISE 1.3
    2. Chapter 2
      1. EXERCISE 2.1
      2. EXERCISE 2.2
    3. Chapter 3
      1. EXERCISE 3.1
      2. EXERCISE 3.2
      3. EXERCISE 3.3
      4. EXERCISE 3.4
    4. Chapter 5
      1. EXERCISE 5.1
      2. EXERCISE 5.2
      3. EXERCISE 5.3
    5. Chapter 6
      1. EXERCISE 6.1
      2. EXERCISE 6.2
    6. Chapter 7
      1. EXERCISE 7.1
    7. Chapter 8
      1. EXERCISE 8.1
      2. EXERCISE 8.2
      3. EXERCISE 8.3
  20. index

Product information

  • Title: Application Security Program Handbook
  • Author(s): Derek Fisher
  • Release date: January 2023
  • Publisher(s): Manning Publications
  • ISBN: 9781633439818