Table of Contents

Foreword xxvii 

Introduction xxix 

Part I General Advice 1 

Chapter 1 Introductory Security Fundamentals 3 

Assume All Other Systems and Data Are Insecure 3 

The CIA Triad 4 

Least Privilege 6 

Secure Defaults/Paved Roads 8 

Assume Breach / Plan For Failure 9 

Zero Trust 9 

Defense in Depth 10 

Supply Chain Security 10 

Security by Obscurity 11 

Attack Surface Reduction 11 

Usable Security 12 

Fail Closed/Safe, Then Roll Back 12 

Compliance, Laws, and Regulations 12 

Security Frameworks 14 

Learning from Mistakes and Sharing Those Lessons 16 

Backward Compatibility (and Potential Risks It Introduces) 16 

Threat Modeling 16 

The Difficulty of Patching 17 

Retesting Fixes for New Security Bugs 18 

Chapter Exercises 19 

Chapter 2 Beginning 21 

Follow a Secure System Development Life Cycle 21 

Use a Modern Framework and All Available Security Features Within 22 

Input Validation 23 

Output Encoding 26 

Examples of Output Encoding 27 

HTML Context 28 

JavaScript Context 28 

Parameterized Queries and ORMs 29 

Authentication and Identity 31 

Authorization and Access Control 32 

Access Control Models 33 

Logical Access Control Methods (Implementation) 34 

Session Management 34 

Secret Management 35  

Password Management 37 

Communication Security (Cryptography and HTTPS Only) 39 

Protecting Sensitive Data 40 

Security Headers 43 

New Security Header Features 43 

Fetch Metadata Request Headers 43 

Content Security Policy Header 44 

Strict-Dynamic 44 

Trusted-Types 44 

Security Headers Previously Covered 44 

Content-Security-Policy Header 45 

HTTP Strict-Transport-Security 45 

X-Frame-Options 45 

X-Content-Type-Options 45 

Permissions Policy 46 

Expect-CT 46 

Referrer-Policy 46 

Public Key Pinning Extension for HTTP (HPKP) 46 

X-XSS-Protection 46 

More New Headers 46 

Same-Origin Policy 47 

COEP: Cross-Origin Embedder Policy 47 

COOP: Cross-Origin Opener Policy 48 

CORP: Cross-Origin Resource Policy 48 

CORS: Cross-Origin Resource Sharing 48 

CORB: Cross-Origin Read Blocking 49 

Secure Cookies 50 

Error Handling 51 

Chapter Exercises 52 

Chapter 3 Improving 55 

Database Security 56 

Four Perspectives for Protecting Databases 56 

File Management 59 

File Uploads 61 

Your Source Code 62 

Memory Management (Buffer, Stack, String, and Integer Overflows) 63 

How Do We Avoid Overflows? 64 

(De)Serialization 66 

Privacy (User/Citizen/Customer/Employee) 67 

Errors 69 

Logging, Monitoring, and Alerting 72 

Fail Closed 73 

Locking Resources 73 

Enabling Password Managers 74 

Cryptographic Practices 75 

Strongly Typed Languages 76 

Strongly Typed Languages 76 

Weakly Typed Programming Languages 77 

Domain-Driven Development 78 

Memory-Safe Languages 79 

Chapter Exercises 80 

Chapter 4 Achieving 81 

Secure Design 82 

How much is “enough” (design) security? 84 

Dependency Management and Supply Chain Security 85 

Dependency Security 86 

Checking If Dependencies Are Safe to Use 87 

Supply Chain Security 87 

Secure Defaults 90 

Secure Defaults for Users 90 

Secure Defaults for Developers 92 

Readable and Auditable Code 93 

Important Functions Happen on Trusted Systems 96 

What Is an “Untrusted” System? 96 

What Are “Important Functions”? 97 

Putting It Together 97 

Allowlists versus Blocklists 97 

Why Are Block Lists Bad? 98 

How Do We Create an Allowlist? 98 

Secure Configurations 99 

Hostname Validation 100 

Reusable Code 100 

Safe System Calls 102 

Mitigating Circumstances 102 

Commenting and Other Documentation 102 

Comments 103 

Documentation 104 

Verification of User Consent 106 

Integrity Checks, Code Signing, and Immutable Builds 107 

Immutable Builds 108 

Avoiding Brute Force 109 

Security Controls 110 

Handling Elevated Privileges 111 

Security Maintenance 112 

Repaying Technical Debt 113 

Chapter Exercises 114 

Summary of Part I 117 

Checklist of General Secure Coding Advice 117 

Part II Specific Advice 125 

Chapter 5 Technology-Specific 127 

API Security Best Practices 127 

Mobile Application Security Best Practices 134 

WebSocket Security Best Practices 137 

Serverless Security Best Practices 138 

IoT Security Best Practices 140 

Chapter Exercises 141 

Chapter 6 Popular Programming Languages 143 

JavaScript 143 

Html/css 148 

HTML5, Specifically 149 

Python 151 

Sql 154 

Node.js 157 

Java 160 

Serialization in Java 164 

TypeScript 165 

C# 166 

Php 170 

C/c++ 175 

Conclusion 178 

Chapter Exercises 179 

Chapter 7 Popular Frameworks 181 

Web and JavaScript 181 

Express 182 

React.js 184 

Angular 186 

jQuery 190 

Vue.js 192 

Other Frameworks and Libraries 194 

.NET (Core) 194 

Ruby on Rails 199 

Spring and Spring Boot 204 

Flask 207 

Chapter Exercises 210 

Chapter 8 Vulnerability Categories 211 

Design Flaws / Logic Flaws 212 

How Does This Happen? 213 

The Risk 213 

Prevention 214 

Code Bugs / Implementation Errors 215 

How Does This Happen? 215 

The Risk 215 

Prevention 215 

Overflows and Other Memory Issues 216 

Overflows 216 

Buffer Overreads 217 

Invalid Page Faults 217 

Use After Free 218 

Uninitialized Variables 218 

Memory Leaks 218 

How Does This Happen? 219 

The Risk 219 

Prevention 219 

Injection: Interpreter and Compiler Issues 220 

How Does This Happen? 221 

The Risk 221 

Prevention 221 

Input Issues 222 

How Does This Happen? 223 

The Risk 223 

Prevention 223 

Authentication and Identity Issues 223 

How Does This Happen? 224 

The Risk 224 

Prevention 224 

Authorization and Access Issues 225 

How Does This Happen? 225 

Configuration and Implementation Issues 225 

How Does This Happen? 226 

The Risk 226 

Prevention 226 

Fraudulent Transactions 227 

How Does This Happen? 227 

The Risk 227 

Prevention 228 

Replay Attacks 228 

How Does This Happen? 228 

The Risk 229 

Prevention 229 

Crossing Trust Boundaries 229 

How Does This Happen? 230 

The Risk 230 

Prevention 230 

File Handling Issues 230 

How Does This Happen? 231 

The Risk 231 

Prevention 231 

Object Handling Issues 232 

Prominent Features of OOP 232 

Deserialization and Other Object Handling Issues 234 

How Does This Happen? 234 

The Risk 234 

Prevention 234 

Secrets Management Issues 235 

How Does This Happen? 236 

The Risk 236 

Prevention 236 

Race Conditions and Timing Issues 237 

How Does This Happen? 237 

The Risk 238 

Prevention 238 

Resource Issues 240 

How Does This Happen? 240 

The Risk 241 

Prevention 241 

Falling into an Unknown State 241 

How Does This Happen? 242 

The Risk 242 

Prevention 242 

Chapter Exercises 243 

Summary of Part II 245 

Checklist of Technology-Specific Secure Coding Advice 245 

Checklist of Secure Coding Advice for Languages and Frameworks 246 

Summary of Vulnerability Issues to Watch For 248 

Part III Secure System Development Life Cycle 251 

Chapter 9 Requirements 253 

Project Kick-Off: Outline of Your Project’s Security Activities 253 

Project Scheduling and Planning 254  

Security Requirements 255 

Chapter Exercises 257 

Chapter 10 Design 259 

Threat Modeling 260 

Secure Design Patterns and Concepts 262 

Architecture Whiteboarding 263 

Examining Data Flows 263 

Security User Stories 264 

Chapter Exercises 265 

Chapter 11 Coding 267 

Training 267 

Organizations 269 

Individuals 270 

Code Review 270 

First- and Second-Generation Static Analysis Tools 271 

Secure Guardrails 272 

IDE Plugins and Other Guidance 273 

Verifying That Your Dependencies Are Safe (SCA) 274 

How Do You Decide Which Dependencies Are Worth Updating or Changing? 274 

Finding and Managing Secrets 275 

Dynamic Testing (DAST) 276 

Chapter Exercises 278 

Chapter 12 Testing 279 

Test Coverage and Timing 280 

Depth Versus Coverage 281 

Scanning Your Infrastructure 281 

Production or Lower-Level Environments 281 

Scoping 282 

Timing 282 

Manual Testing 284 

Automated Testing 286 

Fuzzing 287 

Interactive Application Security Testing (IAST) 288 

Bug Bounty Programs 289 

Test Results 290 

Actioning Test Results 291 

Final Thoughts 293 

Chapter Exercises 293 

Chapter 13 Release/Deployment 295 

Security Events Within the CI/CD 296 

Breaking the Build 297 

Secret Scanning 298 

Static Analysis 298 

Dynamic Analysis 298 

Software Composition Analysis 299 

Linting 299 

Infrastructure as Code scanners 299 

Securing the CI/CD Pipeline Itself 299 

Assuring the Integrity of Your Release 302 

Security Release Approval 303 

Chapter Exercises 304 

Chapter 14 Maintenance 305 

Monitoring, Alerting, and Observability 306 

Blocking/Shielding 308 

Web Application Firewalls (WAFs) 309 

Content Delivery Networks (CDNs) 309 

Runtime Application Self-Protection (RASP) 310 

Virtual Patching 310 

API Gateways 310 

A Special Note for Data Scientists 311 

Continuous Testing 312 

Security Incidents 313 

Business Continuity and Disaster Recovery Planning 315 

Chapter Exercises 317 

Chapter 15 Conclusion 319 

Good Habits 319 

Your Responsibility 322 

How Much Is Enough? 323 

Using Artificial Intelligence Safely 325 

Continuous Learning 327 

Becoming a Champion 328 

Getting Others on Board 330 

Transitioning onto the Security Team 330 

Applying for Security Jobs Outside of Your Organization 331 

Conclusion 335 

Summary of Part III 339 

Checklist of Security Activities for Each Phase of the SDLC 339 

Appendix A Resources 343 

Chapter 1: Introductory Security Fundamentals 343 

Chapter 2: Beginning 344 

Chapter 3: Improving 345 

Chapter 4: Achieving 347 

Chapter 5: Technology-Specific 349 

Chapter 6: Popular Programming Languages 351 

Chapter 7: Popular Frameworks 355 

Chapter 8: Vulnerability Categories 357 

Chapter 10: Design 359 

Chapter 11: Coding 359 

Chapter 12: Testing 359 

Chapter 13: Release/Deployment 360 

Chapter 14: Maintenance 360 

Appendix B Answer Keys 361 

Chapter 1: Introductory Security Fundamentals 361 

Chapter 2: Beginning 363 

Chapter 3: Improving 364 

Chapter 4: Achieving 365 

Chapter 5: Technology-Specific 368 

Chapter 8: Vulnerability Categories 370 

Chapter 9: Requirements 371 

Chapter 11: Coding 372 

Chapter 12: Testing 373 

Chapter 13: Release/Deployment 374 

Chapter 14: Maintenance 375 

Index 377