Description

Book Synopsis


Table of Contents

Foreword xxi

Introduction xxiii

Part I What You Must Know to Write Code Safe Enough to Put on the Internet 1

Chapter 1 Security Fundamentals 3

The Security Mandate: CIA 3

Confidentiality 4

Integrity 5

Availability 5

Assume Breach 7

Insider Threats 8

Defense in Depth 9

Least Privilege 11

Supply Chain Security 11

Security by Obscurity 13

Attack Surface Reduction 14

Hard Coding 15

Never Trust, Always Verify 15

Usable Security 17

Factors of Authentication 18

Exercises 20

Chapter 2 Security Requirements 21

Requirements 22

Encryption 23

Never Trust System Input 24

Encoding and Escaping 28

Third-Party Components 29

Security Headers: Seatbelts for Web Apps 31

Security Headers in Action 32

X-XSS-Protection 32

Content-Security-Policy (CSP) 32

X-Frame-Options 35

X-Content-Type-Options 36

Referrer-Policy 36

Strict-Transport-Security (HSTS) 37

Feature-Policy 38

X-Permitted-Cross-Domain-Policies 39

Expect-CT 39

Public Key Pinning Extension for HTTP (HPKP) 41

Securing Your Cookies 42

The Secure Flag 42

The HttpOnly Flag 42

Persistence 43

Domain 43

Path 44

Same-Site 44

Cookie Prefixes 45

Data Privacy 45

Data Classification 45

Passwords, Storage, and Other Important Decisions 46

HTTPS Everywhere 52

TLS Settings 53

Comments 54

Backup and Rollback 54

Framework Security Features 54

Technical Debt = Security Debt 55

File Uploads 56

Errors and Logging 57

Input Validation and Sanitization 58

Authorization and Authentication 59

Parameterized Queries 59

URL Parameters 60

Least Privilege 60

Requirements Checklist 61

Exercises 63

Chapter 3 Secure Design 65

Design Flaw vs. Security Bug 66

Discovering a Flaw Late 67

Pushing Left 68

Secure Design Concepts 68

Protecting Sensitive Data 68

Never Trust, Always Verify/Zero Trust/Assume Breach 70

Backup and Rollback 71

Server-Side Security Validation 73

Framework Security Features 74

Security Function Isolation 74

Application Partitioning 75

Secret Management 76

Re-authentication for Transactions (Avoiding CSRF) 76

Segregation of Production Data 77

Protection of Source Code 77

Threat Modeling 78

Exercises 82

Chapter 4 Secure Code 83

Selecting Your Framework and Programming Language 83

Example #1 85

Example #2 85

Example #3 86

Programming Languages and Frameworks: The Rule 87

Untrusted Data 87

HTTP Verbs 89

Identity 90

Session Management 91

Bounds Checking 93

Authentication (AuthN) 94

Authorization (AuthZ) 96

Error Handling, Logging, and Monitoring 99

Rules for Errors 100

Logging 100

Monitoring 101

Exercises 103

Chapter 5 Common Pitfalls 105

OWASP 105

Defenses and Vulnerabilities Not Previously Covered 109

Cross-Site Request Forgery 110

Server-Side Request Forgery 112

Deserialization 114

Race Conditions 115

Closing Comments 117

Exercises 117

Part II What You Should Do to Create Very Good Code 119

Chapter 6 Testing and Deployment 121

Testing Your Code 121

Code Review 122

Static Application Security Testing (SAST) 123

Software Composition Analysis (SCA) 125

Unit Tests 126

Infrastructure as Code (IaC) and Security as Code (SaC) 128

Testing Your Application 129

Manual Testing 130

Browsers 131

Developer Tools 131

Web Proxies 132

Fuzzing 133

Dynamic Application Security Testing (DAST) 133

VA/Security Assessment/PenTest 135

Testing Your Infrastructure 141

Testing Your Database 141

Testing Your APIs and Web Services 142

Testing Your Integrations 143

Testing Your Network 144

Deployment 145

Editing Code Live on a Server 146

Publishing from an IDE 146

“Homemade” Deployment Systems 147

Run Books 148

Contiguous Integration/Continuous Delivery/Continuous Deployment 148

Exercises 149

Chapter 7 An AppSec Program 151

Application Security Program Goals 152

Creating and Maintaining an Application Inventory 153

Capability to Find Vulnerabilities in Written, Running, and Third-Party Code 153

Knowledge and Resources to Fix the Vulnerabilities 154

Education and Reference Materials 155

Providing Developers with Security Tools 155

Having One or More Security Activities During Each Phase of Your SDLC 156

Implementing Useful and Effective Tooling 157

An Incident Response Team That Knows When to Call You 157

Continuously Improve Your Program Based on Metrics, Experimentation, and Feedback 159

Metrics 159

Experimentation 161

Feedback from Any and All Stakeholders 161

A Special Note on DevOps and Agile 162

Application Security Activities 162

Application Security Tools 164

Your Application Security Program 165

Exercises 166

Chapter 8 Securing Modern Applications and Systems 167

APIs and Microservices 168

Online Storage 171

Containers and Orchestration 172

Serverless 174

Infrastructure as Code (IaC) 175

Security as Code (SaC) 177

Platform as a Service (PaaS) 178

Infrastructure as a Service (IaaS) 179

Continuous Integration/Delivery/Deployment 180

Dev(Sec)Ops 180

DevSecOps 182

The Cloud 183

Cloud Computing 183

Cloud Native 184

Cloud Native Security 185

Cloud Workflows 185

Modern Tooling 186

IAST Interactive Application Security Testing 186

Runtime Application Security Protection 187

File Integrity Monitoring 187

Application Control Tools (Approved Software Lists) 187

Security Tools Created for DevOps Pipelines 188

Application Inventory Tools 188

Least Privilege and Other Policy Automation 189

Modern Tactics 189

Summary 191

Exercises 191

Part III Helpful Information on How to Continue to Create Very Good Code 193

Chapter 9 Good Habits 195

Password Management 196

Remove Password Complexity Rules 196

Use a Password Manager 197

Passphrases 198

Don’t Reuse Passwords 198

Do Not Implement Password Rotation 199

Multi-Factor Authentication 199

Incident Response 200

Fire Drills 201

Continuous Scanning 202

Technical Debt 202

Inventory 203

Other Good Habits 204

Policies 204

Downloads and Devices 204

Lock Your Machine 204

Privacy 205

Summary 206

Exercises 206

Chapter 10 Continuous Learning 207

What to Learn 208

Offensive = Defensive 208

Don’t Forget Soft Skills 208

Leadership != Management 209

Learning Options 209

Accountability 212

Create Your Plan 213

Take Action 214

Exercises 214

Learning Plan 216

Chapter 11 Closing Thoughts 217

Lingering Questions 218

When Have You Done Enough? 218

How Do You Get Management on Board? 220

How Do You Get Developers on Board? 221

Where Do You Start? 222

Where Do You Get Help? 223

Conclusion 223

Appendix A Resources 225

Introduction 225

Chapter 1: Security Fundamentals 225

Chapter 2: Security Requirements 226

Chapter 3: Secure Design 227

Chapter 4: Secure Code 228

Chapter 5: Common Pitfalls 228

Chapter 6: Testing and Deployment 229

Chapter 7: An AppSec Program 229

Chapter 8: Securing Modern Applications and Systems 230

Chapter 9: Good Habits 231

Chapter 10: Continuous Learning 231

Appendix B Answer Key 233

Chapter 1: Security Fundamentals 233

Chapter 2: Security Requirements 235

Chapter 3: Secure Design 236

Chapter 4: Secure Code 238

Chapter 5: Common Pitfalls 241

Chapter 6: Testing and Deployment 242

Chapter 7: An AppSec Program 244

Chapter 8: Securing Modern Applications and Systems 245

Chapter 9: Good Habits 247

Chapter 10: Continuous Learning 248

Index 249

Alice and Bob Learn Application Security

    Product form

    £32.00

    Includes FREE delivery

    RRP £40.00 – you save £8.00 (20%)

    Order before 4pm today for delivery by Sat 27 Jun 2026.

    A Paperback / softback by Tanya Janca

    1 in stock

      Trusted by thousands of customers. See 2,385+ Customer Reviews

      View other formats and editions of Alice and Bob Learn Application Security by Tanya Janca

      Publisher: John Wiley & Sons Inc
      Publication Date: 04/12/2020
      ISBN13: 9781119687351, 978-1119687351
      ISBN10: 1119687357
      Also in:
      Computing Computer science

      Description

      Book Synopsis


      Table of Contents

      Foreword xxi

      Introduction xxiii

      Part I What You Must Know to Write Code Safe Enough to Put on the Internet 1

      Chapter 1 Security Fundamentals 3

      The Security Mandate: CIA 3

      Confidentiality 4

      Integrity 5

      Availability 5

      Assume Breach 7

      Insider Threats 8

      Defense in Depth 9

      Least Privilege 11

      Supply Chain Security 11

      Security by Obscurity 13

      Attack Surface Reduction 14

      Hard Coding 15

      Never Trust, Always Verify 15

      Usable Security 17

      Factors of Authentication 18

      Exercises 20

      Chapter 2 Security Requirements 21

      Requirements 22

      Encryption 23

      Never Trust System Input 24

      Encoding and Escaping 28

      Third-Party Components 29

      Security Headers: Seatbelts for Web Apps 31

      Security Headers in Action 32

      X-XSS-Protection 32

      Content-Security-Policy (CSP) 32

      X-Frame-Options 35

      X-Content-Type-Options 36

      Referrer-Policy 36

      Strict-Transport-Security (HSTS) 37

      Feature-Policy 38

      X-Permitted-Cross-Domain-Policies 39

      Expect-CT 39

      Public Key Pinning Extension for HTTP (HPKP) 41

      Securing Your Cookies 42

      The Secure Flag 42

      The HttpOnly Flag 42

      Persistence 43

      Domain 43

      Path 44

      Same-Site 44

      Cookie Prefixes 45

      Data Privacy 45

      Data Classification 45

      Passwords, Storage, and Other Important Decisions 46

      HTTPS Everywhere 52

      TLS Settings 53

      Comments 54

      Backup and Rollback 54

      Framework Security Features 54

      Technical Debt = Security Debt 55

      File Uploads 56

      Errors and Logging 57

      Input Validation and Sanitization 58

      Authorization and Authentication 59

      Parameterized Queries 59

      URL Parameters 60

      Least Privilege 60

      Requirements Checklist 61

      Exercises 63

      Chapter 3 Secure Design 65

      Design Flaw vs. Security Bug 66

      Discovering a Flaw Late 67

      Pushing Left 68

      Secure Design Concepts 68

      Protecting Sensitive Data 68

      Never Trust, Always Verify/Zero Trust/Assume Breach 70

      Backup and Rollback 71

      Server-Side Security Validation 73

      Framework Security Features 74

      Security Function Isolation 74

      Application Partitioning 75

      Secret Management 76

      Re-authentication for Transactions (Avoiding CSRF) 76

      Segregation of Production Data 77

      Protection of Source Code 77

      Threat Modeling 78

      Exercises 82

      Chapter 4 Secure Code 83

      Selecting Your Framework and Programming Language 83

      Example #1 85

      Example #2 85

      Example #3 86

      Programming Languages and Frameworks: The Rule 87

      Untrusted Data 87

      HTTP Verbs 89

      Identity 90

      Session Management 91

      Bounds Checking 93

      Authentication (AuthN) 94

      Authorization (AuthZ) 96

      Error Handling, Logging, and Monitoring 99

      Rules for Errors 100

      Logging 100

      Monitoring 101

      Exercises 103

      Chapter 5 Common Pitfalls 105

      OWASP 105

      Defenses and Vulnerabilities Not Previously Covered 109

      Cross-Site Request Forgery 110

      Server-Side Request Forgery 112

      Deserialization 114

      Race Conditions 115

      Closing Comments 117

      Exercises 117

      Part II What You Should Do to Create Very Good Code 119

      Chapter 6 Testing and Deployment 121

      Testing Your Code 121

      Code Review 122

      Static Application Security Testing (SAST) 123

      Software Composition Analysis (SCA) 125

      Unit Tests 126

      Infrastructure as Code (IaC) and Security as Code (SaC) 128

      Testing Your Application 129

      Manual Testing 130

      Browsers 131

      Developer Tools 131

      Web Proxies 132

      Fuzzing 133

      Dynamic Application Security Testing (DAST) 133

      VA/Security Assessment/PenTest 135

      Testing Your Infrastructure 141

      Testing Your Database 141

      Testing Your APIs and Web Services 142

      Testing Your Integrations 143

      Testing Your Network 144

      Deployment 145

      Editing Code Live on a Server 146

      Publishing from an IDE 146

      “Homemade” Deployment Systems 147

      Run Books 148

      Contiguous Integration/Continuous Delivery/Continuous Deployment 148

      Exercises 149

      Chapter 7 An AppSec Program 151

      Application Security Program Goals 152

      Creating and Maintaining an Application Inventory 153

      Capability to Find Vulnerabilities in Written, Running, and Third-Party Code 153

      Knowledge and Resources to Fix the Vulnerabilities 154

      Education and Reference Materials 155

      Providing Developers with Security Tools 155

      Having One or More Security Activities During Each Phase of Your SDLC 156

      Implementing Useful and Effective Tooling 157

      An Incident Response Team That Knows When to Call You 157

      Continuously Improve Your Program Based on Metrics, Experimentation, and Feedback 159

      Metrics 159

      Experimentation 161

      Feedback from Any and All Stakeholders 161

      A Special Note on DevOps and Agile 162

      Application Security Activities 162

      Application Security Tools 164

      Your Application Security Program 165

      Exercises 166

      Chapter 8 Securing Modern Applications and Systems 167

      APIs and Microservices 168

      Online Storage 171

      Containers and Orchestration 172

      Serverless 174

      Infrastructure as Code (IaC) 175

      Security as Code (SaC) 177

      Platform as a Service (PaaS) 178

      Infrastructure as a Service (IaaS) 179

      Continuous Integration/Delivery/Deployment 180

      Dev(Sec)Ops 180

      DevSecOps 182

      The Cloud 183

      Cloud Computing 183

      Cloud Native 184

      Cloud Native Security 185

      Cloud Workflows 185

      Modern Tooling 186

      IAST Interactive Application Security Testing 186

      Runtime Application Security Protection 187

      File Integrity Monitoring 187

      Application Control Tools (Approved Software Lists) 187

      Security Tools Created for DevOps Pipelines 188

      Application Inventory Tools 188

      Least Privilege and Other Policy Automation 189

      Modern Tactics 189

      Summary 191

      Exercises 191

      Part III Helpful Information on How to Continue to Create Very Good Code 193

      Chapter 9 Good Habits 195

      Password Management 196

      Remove Password Complexity Rules 196

      Use a Password Manager 197

      Passphrases 198

      Don’t Reuse Passwords 198

      Do Not Implement Password Rotation 199

      Multi-Factor Authentication 199

      Incident Response 200

      Fire Drills 201

      Continuous Scanning 202

      Technical Debt 202

      Inventory 203

      Other Good Habits 204

      Policies 204

      Downloads and Devices 204

      Lock Your Machine 204

      Privacy 205

      Summary 206

      Exercises 206

      Chapter 10 Continuous Learning 207

      What to Learn 208

      Offensive = Defensive 208

      Don’t Forget Soft Skills 208

      Leadership != Management 209

      Learning Options 209

      Accountability 212

      Create Your Plan 213

      Take Action 214

      Exercises 214

      Learning Plan 216

      Chapter 11 Closing Thoughts 217

      Lingering Questions 218

      When Have You Done Enough? 218

      How Do You Get Management on Board? 220

      How Do You Get Developers on Board? 221

      Where Do You Start? 222

      Where Do You Get Help? 223

      Conclusion 223

      Appendix A Resources 225

      Introduction 225

      Chapter 1: Security Fundamentals 225

      Chapter 2: Security Requirements 226

      Chapter 3: Secure Design 227

      Chapter 4: Secure Code 228

      Chapter 5: Common Pitfalls 228

      Chapter 6: Testing and Deployment 229

      Chapter 7: An AppSec Program 229

      Chapter 8: Securing Modern Applications and Systems 230

      Chapter 9: Good Habits 231

      Chapter 10: Continuous Learning 231

      Appendix B Answer Key 233

      Chapter 1: Security Fundamentals 233

      Chapter 2: Security Requirements 235

      Chapter 3: Secure Design 236

      Chapter 4: Secure Code 238

      Chapter 5: Common Pitfalls 241

      Chapter 6: Testing and Deployment 242

      Chapter 7: An AppSec Program 244

      Chapter 8: Securing Modern Applications and Systems 245

      Chapter 9: Good Habits 247

      Chapter 10: Continuous Learning 248

      Index 249

      Recently viewed products

      © 2026 Book Curl

        • American Express
        • Apple Pay
        • Diners Club
        • Discover
        • Google Pay
        • Maestro
        • Mastercard
        • PayPal
        • Shop Pay
        • Union Pay
        • Visa

        Login

        Forgot your password?

        Don't have an account yet?
        Create account