책 이미지
책 정보
· 분류 : 외국도서 > 컴퓨터 > 보안 > 암호
· ISBN : 9781394171705
· 쪽수 : 416쪽
· 출판일 : 2025-02-11
목차
Foreword xxvii?
Introduction xxix?
Part I General Advice 1?
Chapter 1 Introductory Security Fundamentals 3?
Assume All Other Systems and Data Are Insecure 3?
The CIA Triad 4?
Least Privilege 6?
Secure Defaults/Paved Roads 8?
Assume Breach / Plan For Failure 9?
Zero Trust 9?
Defense in Depth 10?
Supply Chain Security 10?
Security by Obscurity 11?
Attack Surface Reduction 11?
Usable Security 12?
Fail Closed/Safe, Then Roll Back 12?
Compliance, Laws, and Regulations 12?
Security Frameworks 14?
Learning from Mistakes and Sharing Those Lessons 16?
Backward Compatibility (and Potential Risks It Introduces) 16?
Threat Modeling 16?
The Difficulty of Patching 17?
Retesting Fixes for New Security Bugs 18?
Chapter Exercises 19?
Chapter 2 Beginning 21?
Follow a Secure System Development Life Cycle 21?
Use a Modern Framework and All Available Security Features Within 22?
Input Validation 23?
Output Encoding 26?
Examples of Output Encoding 27?
HTML Context 28?
JavaScript Context 28?
Parameterized Queries and ORMs 29?
Authentication and Identity 31?
Authorization and Access Control 32?
Access Control Models 33?
Logical Access Control Methods (Implementation) 34?
Session Management 34?
Secret Management 35 ?
Password Management 37?
Communication Security (Cryptography and HTTPS Only) 39?
Protecting Sensitive Data 40?
Security Headers 43?
New Security Header Features 43?
Fetch Metadata Request Headers 43?
Content Security Policy Header 44?
Strict-Dynamic 44?
Trusted-Types 44?
Security Headers Previously Covered 44?
Content-Security-Policy Header 45?
HTTP Strict-Transport-Security 45?
X-Frame-Options 45?
X-Content-Type-Options 45?
Permissions Policy 46?
Expect-CT 46?
Referrer-Policy 46?
Public Key Pinning Extension for HTTP (HPKP) 46?
X-XSS-Protection 46?
More New Headers 46?
Same-Origin Policy 47?
COEP: Cross-Origin Embedder Policy 47?
COOP: Cross-Origin Opener Policy 48?
CORP: Cross-Origin Resource Policy 48?
CORS: Cross-Origin Resource Sharing 48?
CORB: Cross-Origin Read Blocking 49?
Secure Cookies 50?
Error Handling 51?
Chapter Exercises 52?
Chapter 3 Improving 55?
Database Security 56?
Four Perspectives for Protecting Databases 56?
File Management 59?
File Uploads 61?
Your Source Code 62?
Memory Management (Buffer, Stack, String, and Integer Overflows) 63?
How Do We Avoid Overflows? 64?
(De)Serialization 66?
Privacy (User/Citizen/Customer/Employee) 67?
Errors 69?
Logging, Monitoring, and Alerting 72?
Fail Closed 73?
Locking Resources 73?
Enabling Password Managers 74?
Cryptographic Practices 75?
Strongly Typed Languages 76?
Strongly Typed Languages 76?
Weakly Typed Programming Languages 77?
Domain-Driven Development 78?
Memory-Safe Languages 79?
Chapter Exercises 80?
Chapter 4 Achieving 81?
Secure Design 82?
How much is “enough” (design) security? 84?
Dependency Management and Supply Chain Security 85?
Dependency Security 86?
Checking If Dependencies Are Safe to Use 87?
Supply Chain Security 87?
Secure Defaults 90?
Secure Defaults for Users 90?
Secure Defaults for Developers 92?
Readable and Auditable Code 93?
Important Functions Happen on Trusted Systems 96?
What Is an “Untrusted” System? 96?
What Are “Important Functions”? 97?
Putting It Together 97?
Allowlists versus Blocklists 97?
Why Are Block Lists Bad? 98?
How Do We Create an Allowlist? 98?
Secure Configurations 99?
Hostname Validation 100?
Reusable Code 100?
Safe System Calls 102?
Mitigating Circumstances 102?
Commenting and Other Documentation 102?
Comments 103?
Documentation 104?
Verification of User Consent 106?
Integrity Checks, Code Signing, and Immutable Builds 107?
Immutable Builds 108?
Avoiding Brute Force 109?
Security Controls 110?
Handling Elevated Privileges 111?
Security Maintenance 112?
Repaying Technical Debt 113?
Chapter Exercises 114?
Summary of Part I 117?
Checklist of General Secure Coding Advice 117?
Part II Specific Advice 125?
Chapter 5 Technology-Specific 127?
API Security Best Practices 127?
Mobile Application Security Best Practices 134?
WebSocket Security Best Practices 137?
Serverless Security Best Practices 138?
IoT Security Best Practices 140?
Chapter Exercises 141?
Chapter 6 Popular Programming Languages 143?
JavaScript 143?
Html/css 148?
HTML5, Specifically 149?
Python 151?
Sql 154?
Node.js 157?
Java 160?
Serialization in Java 164?
TypeScript 165?
C# 166?
Php 170?
C/c++ 175?
Conclusion 178?
Chapter Exercises 179?
Chapter 7 Popular Frameworks 181?
Web and JavaScript 181?
Express 182?
React.js 184?
Angular 186?
jQuery 190?
Vue.js 192?
Other Frameworks and Libraries 194?
.NET (Core) 194?
Ruby?on?Rails 199?
Spring and Spring Boot 204?
Flask 207?
Chapter Exercises 210?
Chapter 8 Vulnerability Categories 211?
Design Flaws / Logic Flaws 212?
How Does This Happen? 213?
The Risk 213?
Prevention 214?
Code Bugs / Implementation Errors 215?
How Does This Happen? 215?
The Risk 215?
Prevention 215?
Overflows and Other Memory Issues 216?
Overflows 216?
Buffer Overreads 217?
Invalid Page Faults 217?
Use After Free 218?
Uninitialized Variables 218?
Memory Leaks 218?
How Does This Happen? 219?
The Risk 219?
Prevention 219?
Injection: Interpreter and Compiler Issues 220?
How Does This Happen? 221?
The Risk 221?
Prevention 221?
Input Issues 222?
How Does This Happen? 223?
The Risk 223?
Prevention 223?
Authentication and Identity Issues 223?
How Does This Happen? 224?
The Risk 224?
Prevention 224?
Authorization and Access Issues 225?
How Does This Happen? 225?
Configuration and Implementation Issues 225?
How Does This Happen? 226?
The Risk 226?
Prevention 226?
Fraudulent Transactions 227?
How Does This Happen? 227?
The Risk 227?
Prevention 228?
Replay Attacks 228?
How Does This Happen? 228?
The Risk 229?
Prevention 229?
Crossing Trust Boundaries 229?
How Does This Happen? 230?
The Risk 230?
Prevention 230?
File Handling Issues 230?
How Does This Happen? 231?
The Risk 231?
Prevention 231?
Object Handling Issues 232?
Prominent Features of OOP 232?
Deserialization and Other Object Handling Issues 234?
How Does This Happen? 234?
The Risk 234?
Prevention 234?
Secrets Management Issues 235?
How Does This Happen? 236?
The Risk 236?
Prevention 236?
Race Conditions and Timing Issues 237?
How Does This Happen? 237?
The Risk 238?
Prevention 238?
Resource Issues 240?
How Does This Happen? 240?
The Risk 241?
Prevention 241?
Falling into an Unknown State 241?
How Does This Happen? 242?
The Risk 242?
Prevention 242?
Chapter Exercises 243?
Summary of Part II 245?
Checklist of Technology-Specific Secure Coding Advice 245?
Checklist of Secure Coding Advice for Languages and Frameworks 246?
Summary of Vulnerability Issues to Watch For 248?
Part III Secure System Development Life Cycle 251?
Chapter 9 Requirements 253?
Project Kick-Off: Outline of Your Project’s Security Activities 253?
Project Scheduling and Planning 254 ?
Security Requirements 255?
Chapter Exercises 257?
Chapter 10 Design 259?
Threat Modeling 260?
Secure Design Patterns and Concepts 262?
Architecture Whiteboarding 263?
Examining Data Flows 263?
Security User Stories 264?
Chapter Exercises 265?
Chapter 11 Coding 267?
Training 267?
Organizations 269?
Individuals 270?
Code Review 270?
First- and Second-Generation Static Analysis Tools 271?
Secure Guardrails 272?
IDE Plugins and Other Guidance 273?
Verifying That Your Dependencies Are Safe (SCA) 274?
How Do You Decide Which Dependencies Are Worth Updating or Changing? 274?
Finding and Managing Secrets 275?
Dynamic Testing (DAST) 276?
Chapter Exercises 278?
Chapter 12 Testing 279?
Test Coverage and Timing 280?
Depth Versus Coverage 281?
Scanning Your Infrastructure 281?
Production or Lower-Level Environments 281?
Scoping 282?
Timing 282?
Manual Testing 284?
Automated Testing 286?
Fuzzing 287?
Interactive Application Security Testing (IAST) 288?
Bug Bounty Programs 289?
Test Results 290?
Actioning Test Results 291?
Final Thoughts 293?
Chapter Exercises 293?
Chapter 13 Release/Deployment 295?
Security Events Within the CI/CD 296?
Breaking the Build 297?
Secret Scanning 298?
Static Analysis 298?
Dynamic Analysis 298?
Software Composition Analysis 299?
Linting 299?
Infrastructure as Code scanners 299?
Securing the CI/CD Pipeline Itself 299?
Assuring the Integrity of Your Release 302?
Security Release Approval 303?
Chapter Exercises 304?
Chapter 14 Maintenance 305?
Monitoring, Alerting, and Observability 306?
Blocking/Shielding 308?
Web Application Firewalls (WAFs) 309?
Content Delivery Networks (CDNs) 309?
Runtime Application Self-Protection (RASP) 310?
Virtual Patching 310?
API Gateways 310?
A Special Note for Data Scientists 311?
Continuous Testing 312?
Security Incidents 313?
Business Continuity and Disaster Recovery Planning 315?
Chapter Exercises 317?
Chapter 15 Conclusion 319?
Good Habits 319?
Your Responsibility 322?
How Much Is Enough? 323?
Using Artificial Intelligence Safely 325?
Continuous Learning 327?
Becoming a Champion 328?
Getting Others on Board 330?
Transitioning onto the Security Team 330?
Applying for Security Jobs Outside of Your Organization 331?
Conclusion 335?
Summary of Part III 339?
Checklist of Security Activities for Each Phase of the SDLC 339?
Appendix A Resources 343?
Chapter 1: Introductory Security Fundamentals 343?
Chapter 2: Beginning 344?
Chapter 3: Improving 345?
Chapter 4: Achieving 347?
Chapter 5: Technology-Specific 349?
Chapter 6: Popular Programming Languages 351?
Chapter 7: Popular Frameworks 355?
Chapter 8: Vulnerability Categories 357?
Chapter 10: Design 359?
Chapter 11: Coding 359?
Chapter 12: Testing 359?
Chapter 13: Release/Deployment 360?
Chapter 14: Maintenance 360?
Appendix B Answer Keys 361?
Chapter 1: Introductory Security Fundamentals 361?
Chapter 2: Beginning 363?
Chapter 3: Improving 364?
Chapter 4: Achieving 365?
Chapter 5: Technology-Specific 368?
Chapter 8: Vulnerability Categories 370?
Chapter 9: Requirements 371?
Chapter 11: Coding 372?
Chapter 12: Testing 373?
Chapter 13: Release/Deployment 374?
Chapter 14: Maintenance 375?
Index 377
![[eBook Code] Alice and Bob Learn Application Security (eBook Code, 1st)](/img_thumb2/9781119687405.jpg)
![[eBook Code] Alice and Bob Learn Application Security (eBook Code, 1st)](/img_thumb2/9781119687399.jpg)
