Alice and Bob Learn Application Security. Tanya JancaЧитать онлайн книгу.
Part III: Helpful Information on How to Continue to Create Very Good Code CHAPTER 9: Good Habits Password Management Multi-Factor Authentication Incident Response Fire Drills Continuous Scanning Technical Debt Inventory Other Good Habits Summary Exercises CHAPTER 10: Continuous Learning What to Learn Take Action Exercises Learning Plan CHAPTER 11: Closing Thoughts Lingering Questions Conclusion
6 APPENDIX A: Resources Introduction Chapter 1: Security Fundamentals Chapter 2: Security Requirements Chapter 3: Secure Design Chapter 4: Secure Code Chapter 5: Common Pitfalls Chapter 6: Testing and Deployment Chapter 7: An AppSec Program Chapter 8: Securing Modern Applications and Systems Chapter 9: Good Habits Chapter 10: Continuous Learning
7 APPENDIX B: Answer Key Chapter 1: Security Fundamentals Chapter 2: Security Requirements Chapter 3: Secure Design Chapter 4: Secure Code Chapter 5: Common Pitfalls Chapter 6: Testing and Deployment Chapter 7: An AppSec Program Chapter 8: Securing Modern Applications and Systems Chapter 9: Good Habits Chapter 10: Continuous Learning
8 Index
List of Illustrations
1 IntroductionFigure I-1: System Development Life Cycle (SDLC)Figure I-2: Shifting/Pushing Left
2 Chapter 1Figure 1-1: The CIA Triad is the reason IT Security teams exist.Figure 1-2: Confidentiality: keeping things safeFigure 1-3: Integrity means accuracy.Figure 1-4: Resilience improves availability.Figure 1-5: Three layers of security for an application; an example of defens...Figure 1-6: A possible supply chain for Bob’s doll houseFigure 1-7: Example of an application calling APIs and when to authenticate
3 Chapter 2Figure 2-1: The System Development Life Cycle (SDLC)Figure 2-2: Data classifications Bob uses at workFigure 2-3: Forgotten password flowchartFigure 2-4: Illustration of a web proxy intercepting web traffic
4 Chapter 3Figure 3-1: The System Development Life Cycle (SDLC)Figure 3-2: Flaws versus bugsFigure 3-3: Approximate cost to fix security bugs and flaws during the SDLCFigure 3-4: Pushing leftFigure 3-5: Using a web proxy to circumvent JavaScript validationFigure 3-6: Example of very basic attack tree for a run-tracking mobile app
5 Chapter 4Figure 4-1: Input validation flowchart for untrusted dataFigure 4-2: Session management flow example
6 Chapter 5Figure 5-1: CRSF flowchartFigure 5-2: SSRF flowchart
7 Chapter 6Figure 6-1: Continuous Integration/Continuous Delivery (CI/CD)
8 Chapter 7Figure 7-1: Security activities added to the SDLC
9 Chapter 8Figure 8-1: Simplified microservice architectureFigure 8-2: Microservice architecture with API gatewayFigure 8-3: Infrastructure as Code workflowFigure 8-4: File integrity monitoring and application control tooling at work...
Guide
1 Cover
2 Table of Contents
Pages
1 iii
2 xxi
3 xxii
4