Unlock the power of secure coding with this straightforward and approachable guide!
Discover a game-changing resource that caters to developers of all levels with Alice and Bob Learn Secure Coding. With a refreshing approach, the book offers analogies, stories of the characters Alice and Bob, real-life examples, technical explanations and diagrams to break down intricate security concepts into digestible insights that you can apply right away. Explore secure coding in popular languages like Python, Java, JavaScript, and more, while gaining expertise in safeguarding frameworks such as Angular, .Net, and React. Uncover the secrets to combatting vulnerabilities by securing your code from the ground up!
Topics include:
- Secure coding in Python, Java, Javascript, C/C++, SQL, C#, PHP, and more
- Security for popular frameworks, including Angular, Express, React, .Net, and Spring
- Security Best Practices for APIs, Mobile, Web Sockets, Serverless, IOT, and Service Mesh
- Major vulnerability categories, how they happen, the risks, and how to avoid them
- The Secure System Development Life Cycle, in depth
- Threat modeling, testing, and code review
- The agnostic fundamentals of creating secure code that apply to any language or framework
Alice and Bob Learn Secure Coding is designed for a diverse audience, including software developers of all levels, budding security engineers, software architects, and application security professionals. Immerse yourself in practical examples and concrete applications that will deepen your understanding and retention of critical security principles.
Alice and Bob Learn Secure Coding illustrates all the included concepts with easy-to-understand examples and concrete practical applications, furthering the reader’s ability to grasp and retain the foundational and advanced topics contained within. Don't miss this opportunity to strengthen your knowledge; let Alice and Bob guide you to a secure and successful coding future.
Table of Contents:
Foreword xxvii
Introduction xxix
Part I General Advice 1
Chapter 1 Introductory Security Fundamentals 3
Assume All Other Systems and Data Are Insecure 3
The CIA Triad 4
Least Privilege 6
Secure Defaults/Paved Roads 8
Assume Breach / Plan For Failure 9
Zero Trust 9
Defense in Depth 10
Supply Chain Security 10
Security by Obscurity 11
Attack Surface Reduction 11
Usable Security 12
Fail Closed/Safe, Then Roll Back 12
Compliance, Laws, and Regulations 12
Security Frameworks 14
Learning from Mistakes and Sharing Those Lessons 16
Backward Compatibility (and Potential Risks It Introduces) 16
Threat Modeling 16
The Difficulty of Patching 17
Retesting Fixes for New Security Bugs 18
Chapter Exercises 19
Chapter 2 Beginning 21
Follow a Secure System Development Life Cycle 21
Use a Modern Framework and All Available Security Features Within 22
Input Validation 23
Output Encoding 26
Examples of Output Encoding 27
HTML Context 28
JavaScript Context 28
Parameterized Queries and ORMs 29
Authentication and Identity 31
Authorization and Access Control 32
Access Control Models 33
Logical Access Control Methods (Implementation) 34
Session Management 34
Secret Management 35
Password Management 37
Communication Security (Cryptography and HTTPS Only) 39
Protecting Sensitive Data 40
Security Headers 43
New Security Header Features 43
Fetch Metadata Request Headers 43
Content Security Policy Header 44
Strict-Dynamic 44
Trusted-Types 44
Security Headers Previously Covered 44
Content-Security-Policy Header 45
HTTP Strict-Transport-Security 45
X-Frame-Options 45
X-Content-Type-Options 45
Permissions Policy 46
Expect-CT 46
Referrer-Policy 46
Public Key Pinning Extension for HTTP (HPKP) 46
X-XSS-Protection 46
More New Headers 46
Same-Origin Policy 47
COEP: Cross-Origin Embedder Policy 47
COOP: Cross-Origin Opener Policy 48
CORP: Cross-Origin Resource Policy 48
CORS: Cross-Origin Resource Sharing 48
CORB: Cross-Origin Read Blocking 49
Secure Cookies 50
Error Handling 51
Chapter Exercises 52
Chapter 3 Improving 55
Database Security 56
Four Perspectives for Protecting Databases 56
File Management 59
File Uploads 61
Your Source Code 62
Memory Management (Buffer, Stack, String, and Integer Overflows) 63
How Do We Avoid Overflows? 64
(De)Serialization 66
Privacy (User/Citizen/Customer/Employee) 67
Errors 69
Logging, Monitoring, and Alerting 72
Fail Closed 73
Locking Resources 73
Enabling Password Managers 74
Cryptographic Practices 75
Strongly Typed Languages 76
Strongly Typed Languages 76
Weakly Typed Programming Languages 77
Domain-Driven Development 78
Memory-Safe Languages 79
Chapter Exercises 80
Chapter 4 Achieving 81
Secure Design 82
How much is “enough” (design) security? 84
Dependency Management and Supply Chain Security 85
Dependency Security 86
Checking If Dependencies Are Safe to Use 87
Supply Chain Security 87
Secure Defaults 90
Secure Defaults for Users 90
Secure Defaults for Developers 92
Readable and Auditable Code 93
Important Functions Happen on Trusted Systems 96
What Is an “Untrusted” System? 96
What Are “Important Functions”? 97
Putting It Together 97
Allowlists versus Blocklists 97
Why Are Block Lists Bad? 98
How Do We Create an Allowlist? 98
Secure Configurations 99
Hostname Validation 100
Reusable Code 100
Safe System Calls 102
Mitigating Circumstances 102
Commenting and Other Documentation 102
Comments 103
Documentation 104
Verification of User Consent 106
Integrity Checks, Code Signing, and Immutable Builds 107
Immutable Builds 108
Avoiding Brute Force 109
Security Controls 110
Handling Elevated Privileges 111
Security Maintenance 112
Repaying Technical Debt 113
Chapter Exercises 114
Summary of Part I 117
Checklist of General Secure Coding Advice 117
Part II Specific Advice 125
Chapter 5 Technology-Specific 127
API Security Best Practices 127
Mobile Application Security Best Practices 134
WebSocket Security Best Practices 137
Serverless Security Best Practices 138
IoT Security Best Practices 140
Chapter Exercises 141
Chapter 6 Popular Programming Languages 143
JavaScript 143
Html/css 148
HTML5, Specifically 149
Python 151
Sql 154
Node.js 157
Java 160
Serialization in Java 164
TypeScript 165
C# 166
Php 170
C/c++ 175
Conclusion 178
Chapter Exercises 179
Chapter 7 Popular Frameworks 181
Web and JavaScript 181
Express 182
React.js 184
Angular 186
jQuery 190
Vue.js 192
Other Frameworks and Libraries 194
.NET (Core) 194
Ruby on Rails 199
Spring and Spring Boot 204
Flask 207
Chapter Exercises 210
Chapter 8 Vulnerability Categories 211
Design Flaws / Logic Flaws 212
How Does This Happen? 213
The Risk 213
Prevention 214
Code Bugs / Implementation Errors 215
How Does This Happen? 215
The Risk 215
Prevention 215
Overflows and Other Memory Issues 216
Overflows 216
Buffer Overreads 217
Invalid Page Faults 217
Use After Free 218
Uninitialized Variables 218
Memory Leaks 218
How Does This Happen? 219
The Risk 219
Prevention 219
Injection: Interpreter and Compiler Issues 220
How Does This Happen? 221
The Risk 221
Prevention 221
Input Issues 222
How Does This Happen? 223
The Risk 223
Prevention 223
Authentication and Identity Issues 223
How Does This Happen? 224
The Risk 224
Prevention 224
Authorization and Access Issues 225
How Does This Happen? 225
Configuration and Implementation Issues 225
How Does This Happen? 226
The Risk 226
Prevention 226
Fraudulent Transactions 227
How Does This Happen? 227
The Risk 227
Prevention 228
Replay Attacks 228
How Does This Happen? 228
The Risk 229
Prevention 229
Crossing Trust Boundaries 229
How Does This Happen? 230
The Risk 230
Prevention 230
File Handling Issues 230
How Does This Happen? 231
The Risk 231
Prevention 231
Object Handling Issues 232
Prominent Features of OOP 232
Deserialization and Other Object Handling Issues 234
How Does This Happen? 234
The Risk 234
Prevention 234
Secrets Management Issues 235
How Does This Happen? 236
The Risk 236
Prevention 236
Race Conditions and Timing Issues 237
How Does This Happen? 237
The Risk 238
Prevention 238
Resource Issues 240
How Does This Happen? 240
The Risk 241
Prevention 241
Falling into an Unknown State 241
How Does This Happen? 242
The Risk 242
Prevention 242
Chapter Exercises 243
Summary of Part II 245
Checklist of Technology-Specific Secure Coding Advice 245
Checklist of Secure Coding Advice for Languages and Frameworks 246
Summary of Vulnerability Issues to Watch For 248
Part III Secure System Development Life Cycle 251
Chapter 9 Requirements 253
Project Kick-Off: Outline of Your Project’s Security Activities 253
Project Scheduling and Planning 254
Security Requirements 255
Chapter Exercises 257
Chapter 10 Design 259
Threat Modeling 260
Secure Design Patterns and Concepts 262
Architecture Whiteboarding 263
Examining Data Flows 263
Security User Stories 264
Chapter Exercises 265
Chapter 11 Coding 267
Training 267
Organizations 269
Individuals 270
Code Review 270
First- and Second-Generation Static Analysis Tools 271
Secure Guardrails 272
IDE Plugins and Other Guidance 273
Verifying That Your Dependencies Are Safe (SCA) 274
How Do You Decide Which Dependencies Are Worth Updating or Changing? 274
Finding and Managing Secrets 275
Dynamic Testing (DAST) 276
Chapter Exercises 278
Chapter 12 Testing 279
Test Coverage and Timing 280
Depth Versus Coverage 281
Scanning Your Infrastructure 281
Production or Lower-Level Environments 281
Scoping 282
Timing 282
Manual Testing 284
Automated Testing 286
Fuzzing 287
Interactive Application Security Testing (IAST) 288
Bug Bounty Programs 289
Test Results 290
Actioning Test Results 291
Final Thoughts 293
Chapter Exercises 293
Chapter 13 Release/Deployment 295
Security Events Within the CI/CD 296
Breaking the Build 297
Secret Scanning 298
Static Analysis 298
Dynamic Analysis 298
Software Composition Analysis 299
Linting 299
Infrastructure as Code scanners 299
Securing the CI/CD Pipeline Itself 299
Assuring the Integrity of Your Release 302
Security Release Approval 303
Chapter Exercises 304
Chapter 14 Maintenance 305
Monitoring, Alerting, and Observability 306
Blocking/Shielding 308
Web Application Firewalls (WAFs) 309
Content Delivery Networks (CDNs) 309
Runtime Application Self-Protection (RASP) 310
Virtual Patching 310
API Gateways 310
A Special Note for Data Scientists 311
Continuous Testing 312
Security Incidents 313
Business Continuity and Disaster Recovery Planning 315
Chapter Exercises 317
Chapter 15 Conclusion 319
Good Habits 319
Your Responsibility 322
How Much Is Enough? 323
Using Artificial Intelligence Safely 325
Continuous Learning 327
Becoming a Champion 328
Getting Others on Board 330
Transitioning onto the Security Team 330
Applying for Security Jobs Outside of Your Organization 331
Conclusion 335
Summary of Part III 339
Checklist of Security Activities for Each Phase of the SDLC 339
Appendix A Resources 343
Chapter 1: Introductory Security Fundamentals 343
Chapter 2: Beginning 344
Chapter 3: Improving 345
Chapter 4: Achieving 347
Chapter 5: Technology-Specific 349
Chapter 6: Popular Programming Languages 351
Chapter 7: Popular Frameworks 355
Chapter 8: Vulnerability Categories 357
Chapter 10: Design 359
Chapter 11: Coding 359
Chapter 12: Testing 359
Chapter 13: Release/Deployment 360
Chapter 14: Maintenance 360
Appendix B Answer Keys 361
Chapter 1: Introductory Security Fundamentals 361
Chapter 2: Beginning 363
Chapter 3: Improving 364
Chapter 4: Achieving 365
Chapter 5: Technology-Specific 368
Chapter 8: Vulnerability Categories 370
Chapter 9: Requirements 371
Chapter 11: Coding 372
Chapter 12: Testing 373
Chapter 13: Release/Deployment 374
Chapter 14: Maintenance 375
Index 377
