Alice and Bob Learn Secure Coding - Tanya Janca

. .

Résumé :

Foreword xxvii?

Introduction xxix?

Part I General Advice 1?

Chapter 1 Introductory Security Fundamentals 3?

Assume All Other Systems and Data Are Insecure 3?

The CIA Triad 4?

Least Privilege 6?

Secure Defaults/Paved Roads 8?

Assume Breach / Plan For Failure 9?

Zero Trust 9?

Defense in Depth 10?

Supply Chain Security 10?

Security by Obscurity 11?

Attack Surface Reduction 11?

Usable Security 12?

Fail Closed/Safe, Then Roll Back 12?

Compliance, Laws, and Regulations 12?

Security Frameworks 14?

Learning from Mistakes and Sharing Those Lessons 16?

Backward Compatibility (and Potential Risks It Introduces) 16?

Threat Modeling 16?

The Difficulty of Patching 17?

Retesting Fixes for New Security Bugs 18?

Chapter Exercises 19?

Chapter 2 Beginning 21?

Follow a Secure System Development Life Cycle 21?

Use a Modern Framework and All Available Security Features Within 22?

Input Validation 23?

Output Encoding 26?

Examples of Output Encoding 27?

HTML Context 28?

JavaScript Context 28?

Parameterized Queries and ORMs 29?

Authentication and Identity 31?

Authorization and Access Control 32?

Access Control Models 33?

Logical Access Control Methods (Implementation) 34?

Session Management 34?

Secret Management 35 ?

Password Management 37?

Communication Security (Cryptography and HTTPS Only) 39?

Protecting Sensitive Data 40?

Security Headers 43?

New Security Header Features 43?

Fetch Metadata Request Headers 43?

Content Security Policy Header 44?

Strict-Dynamic 44?

Trusted-Types 44?

Security Headers Previously Covered 44?

Content-Security-Policy Header 45?

HTTP Strict-Transport-Security 45?

X-Frame-Options 45?

X-Content-Type-Options 45?

Permissions Policy 46?

Expect-CT 46?

Referrer-Policy 46?

Public Key Pinning Extension for HTTP (HPKP) 46?

X-XSS-Protection 46?

More New Headers 46?

Same-Origin Policy 47?

COEP: Cross-Origin Embedder Policy 47?

COOP: Cross-Origin Opener Policy 48?

CORP: Cross-Origin Resource Policy 48?

CORS: Cross-Origin Resource Sharing 48?

CORB: Cross-Origin Read Blocking 49?

Secure Cookies 50?

Error Handling 51?

Chapter Exercises 52?

Chapter 3 Improving 55?

Database Security 56?

Four Perspectives for Protecting Databases 56?

File Management 59?

File Uploads 61?

Your Source Code 62?

Memory Management (Buffer, Stack, String, and Integer Overflows) 63?

How Do We Avoid Overflows? 64?

(De)Serialization 66?

Privacy (User/Citizen/Customer/Employee) 67?

Errors 69?

Logging, Monitoring, and Alerting 72?

Fail Closed 73?

Locking Resources 73?

Enabling Password Managers 74?

Cryptographic Practices 75?

Strongly Typed Languages 76?

Strongly Typed Languages 76?

Weakly Typed Programming Languages 77?

Domain-Driven Development 78?

Memory-Safe Languages 79?

Chapter Exercises 80?

Chapter 4 Achieving 81?

Secure Design 82?

How much is enough (design) security? 84?

Dependency Management and Supply Chain Security 85?

Dependency Security 86?

Checking If Dependencies Are Safe to Use 87?

Supply Chain Security 87?

Secure Defaults 90?

Secure Defaults for Users 90?

Secure Defaults for Developers 92?

Readable and Auditable Code 93?

Impo...

Biographie:
.

Sommaire:

Tanya Jance, aka SheHacksPurple, is the best-selling author of Alice and Bon Learn Application Security and Cards Against AppSec. Over her 28-year IT Career she has won countless awards (including OWASP Lifetime Distinguished Member and Hacker of the Year), spoken all over the planet, and is a prolific blogger. Tanya has trained thousands of software developers and IT security professionals, via her online academies (We Hack Purple and Semgrep Academy), and her live training programs. Having performed counter-terrorism, led security for 52nd Canadian general election, developed or secured countless applications, Tanya Janca is widely considered an international authority on the security of software.