Fundamentals of Secure Software

Fundamentals of Secure Software

by Derek Fisher
Released December 2022
Publisher(s): Packt Publishing
ISBN: 9781837636815

Watch it now on the O’Reilly learning platform with a 10-day free trial.

O’Reilly members get unlimited access to books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Video description

This course offers a comprehensive guide to securing software applications from design to deployment. You'll start by understanding core application security concepts, including how to integrate security into the Software Development Life Cycle (SDLC). The course explores essential security practices such as threat modeling, vulnerability management, and the use of frameworks like OWASP and NIST to build robust defenses.

As you advance, you'll delve into complex topics such as Defense in Depth and cloud security. Real-world examples, including the “PrintNightmare” vulnerability, demonstrate how to apply these concepts effectively. You'll also get hands-on experience with the OWASP Top 10 vulnerabilities, learning how to prevent common issues like SQL injection and cross-site scripting (XSS) through practical demonstrations and tools.

In the final sections, the course focuses on DevSecOps and secure CI/CD pipelines, emphasizing the importance of integrating security into every phase of software development. You'll learn to automate security checks and manage risks proactively. By course end, you'll be equipped with the skills to design, deploy, and maintain secure applications, enhancing your value as a developer or security professional.

What you will learn

  • Implement security in the software development lifecycle
  • Use OWASP tools to prevent common vulnerabilities
  • Apply secure coding and testing practices effectively
  • Integrate security into DevOps and CI/CD processes
  • Perform effective threat modeling and risk assessment
  • Secure cloud environments and container deployments

Audience

This course is designed for software developers, security engineers, and IT professionals who want to deepen their understanding of application security. Whether you’re new to cybersecurity or looking to expand your skills, this course will provide valuable insights and practical knowledge. Basic programming experience is recommended, but no prior security expertise is required. It's also suitable for IT managers and business analysts who need to understand security principles to support development teams and make informed decisions about software security.

About the Author

Derek Fisher: Derek Fisher has nearly 30 years of experience in cybersecurity and engineering, having worked across a wide range of sectors including finance, healthcare, military, and commercial industries. His extensive background encompasses roles in hardware, software, and cybersecurity engineering, positioning him as a leader in securing complex systems and infrastructures. Derek is the author of several notable books, such as The Application Security Program Handbook and the Alicia Connected series—a unique initiative aimed at educating children about cybersecurity through engaging stories. His contributions extend to his Substack and YouTube channel, where he shares expert insights and fosters community engagement in the ever-evolving field of cybersecurity. Beyond his written work, Derek serves as an advisor to Temple University's Cyber Defense and Information Assurance (Cyber DIA) program and teaches software security as an adjunct professor. His courses, offered to both graduate and undergraduate students, reflect his commitment to developing the next generation of cybersecurity professionals. As a sought-after speaker and panelist, Derek regularly discusses topics like product security, vulnerability management, threat modeling, DevSecOps, and cybersecurity career growth. Passionate about empowering future cybersecurity leaders, Derek actively engages in initiatives that promote grassroots education and mentorship. He collaborates with peers and industry stakeholders to create opportunities for aspiring professionals, ensuring that the cybersecurity community continues to thrive and innovate.

Table of contents

  1. Chapter 1 : Introduction to this Course
    1. Introduction to Application Security
    2. Application Security Terms and Definitions
    3. Application Security Goals
    4. OWASP WebGoat Demo
  2. Chapter 2 : Understanding Secure SDLC
    1. Application Security Introduction
    2. Top 10s
    3. Application Security Terms and Definitions
    4. Application Security Goals
    5. Introduction to NIST
    6. Introduction to CSA
  3. Chapter 3 : Defense in Depth
    1. Defense in Depth
    2. Roles and Terms in Cybersecurity
    3. API Security
    4. Content Security Policy (CSP)
    5. Server-Side Request Forgery - SSRF
    6. Vulnerability Management
  4. Chapter 4 : Dive into the OWASP Top 10
    1. Broken Access Control
    2. Broken Access Control - Demo
    3. Cryptographic Failures
    4. Injection
    5. Injection Demo
    6. Insecure Design
    7. Security Misconfiguration
    8. Vulnerable and Outdated Components
    9. Identification and Authentication Failures
    10. Identification Failures Demo
    11. Software and Data Integrity Failures
    12. Security Logging and Monitoring Failures
    13. Cross-Site Scripting (XSS)
    14. XSS Demo
  5. Chapter 5 : Supply Chain Security
    1. Introduction to Supply Chain Security
    2. Supply Chain Defenses
    3. Software Composition Analysis (SCA)
    4. Introducing SLSA
    5. Software Bill of Materials (SBOM)
    6. Dependency-Track and CycloneDX
  6. Chapter 6 : Cloud and Container Security
    1. Introduction to Cloud
    2. Cloud Security Concepts
    3. AWS Security Pillar
    4. AWS Identity and Access Management
    5. AWS Detection Controls
    6. AWS Infrastructure
    7. AWS Data Protection
    8. AWS Incident Response
    9. AWS Application Security
    10. Container Security
    11. Azure and GCP
  7. Chapter 7 : Session Management
    1. Introduction to Session Management
    2. Web Sessions
    3. JSON Web Token (JWT)
    4. JWT Example
    5. JSON Web Encryption (JWE)
    6. OAuth
    7. OpenID OpenID Connect
  8. Chapter 8 : Risk Rating and Basic Threat Modeling
    1. Risk Rating Introduction
    2. Risk Rating Demo
    3. Security Controls
    4. Introduction to Threat Modeling
    5. Type of Threat Modeling
    6. Introduction to Manual Threat Modeling
    7. Prepping for Microsoft Threat Model Tool
    8. Microsoft Threat Model Tool Demo
    9. OWASP Threat Dragon Demo
  9. Chapter 9 : More Advanced Threat Modeling
    1. Additional Methods of Threat Modeling
    2. Using DREAD
    3. Using MITRE ATT
    4. Other Advanced Threat Modeling Techniques
    5. Attack Trees
    6. Attack Tree Demo
    7. Continuous Threat Modeling
    8. Threagile Demo
    9. Threat Modeling the Cloud
  10. Chapter 10 : Encryption and Hashing
    1. Encryption Overview
    2. Encryption Use Cases
    3. Hashing Overview
    4. Hashing Demo
    5. Public Key Infrastructure (PKI)
    6. Password Management
    7. Password Demo
  11. Chapter 11 : DevSecOps and Secure CICD
    1. DevOps
    2. DevSecOps
    3. DevSecOps Design
    4. DevSecOps Code
    5. DevSecOps Analysis
    6. DevSecOps Build
    7. DevSecOps Operations
    8. Secure CICD
    9. Secure CICD Demo
  12. Chapter 12 : Security Scanning and Testing
    1. SAST (Static Application Security Testing)
    2. CodeQL Demo
    3. DAST (Dynamic Application Security Testing)
    4. DAST Demo
    5. IAST (Interactive Application Security Testing)
    6. ASPM (Application Security Posture Management)
    7. ASPM Demo
    8. RASP (Runtime Application Self-Protection)
    9. WAF (Web Application Firewall)
    10. Penetration Testing
    11. Fuzz Testing
  13. Chapter 13 : Conclusion
    1. Conclusion

Product information

  • Title: Fundamentals of Secure Software
  • Author(s): Derek Fisher
  • Release date: December 2022
  • Publisher(s): Packt Publishing
  • ISBN: 9781837636815