Sie sind bereits eingeloggt. Klicken Sie auf 2. tolino select Abo, um fortzufahren.
Bitte loggen Sie sich zunächst in Ihr Kundenkonto ein oder registrieren Sie sich bei bücher.de, um das eBook-Abo tolino select nutzen zu können.
Unlock the power of secure coding with this straightforward and approachable guide! Discover a game-changing resource that caters to developers of all levels with Alice and Bob Learn Secure Coding. With a refreshing approach, the book offers analogies, stories of the characters Alice and Bob, real-life examples, technical explanations and diagrams to break down intricate security concepts into digestible insights that you can apply right away. Explore secure coding in popular languages like Python, Java, JavaScript, and more, while gaining expertise in safeguarding frameworks such as…mehr
Unlock the power of secure coding with this straightforward and approachable guide!
Discover a game-changing resource that caters to developers of all levels with Alice and Bob Learn Secure Coding. With a refreshing approach, the book offers analogies, stories of the characters Alice and Bob, real-life examples, technical explanations and diagrams to break down intricate security concepts into digestible insights that you can apply right away. Explore secure coding in popular languages like Python, Java, JavaScript, and more, while gaining expertise in safeguarding frameworks such as Angular, .Net, and React. Uncover the secrets to combatting vulnerabilities by securing your code from the ground up!
Topics include:
Secure coding in Python, Java, Javascript, C/C++, SQL, C#, PHP, and more
Security for popular frameworks, including Angular, Express, React, .Net, and Spring
Security Best Practices for APIs, Mobile, Web Sockets, Serverless, IOT, and Service Mesh
Major vulnerability categories, how they happen, the risks, and how to avoid them
The Secure System Development Life Cycle, in depth
Threat modeling, testing, and code review
The agnostic fundamentals of creating secure code that apply to any language or framework
Alice and Bob Learn Secure Coding is designed for a diverse audience, including software developers of all levels, budding security engineers, software architects, and application security professionals. Immerse yourself in practical examples and concrete applications that will deepen your understanding and retention of critical security principles.
Alice and Bob Learn Secure Coding illustrates all the included concepts with easy-to-understand examples and concrete practical applications, furthering the reader's ability to grasp and retain the foundational and advanced topics contained within. Don't miss this opportunity to strengthen your knowledge; let Alice and Bob guide you to a secure and successful coding future.
Dieser Download kann aus rechtlichen Gründen nur mit Rechnungsadresse in D ausgeliefert werden.
Die Herstellerinformationen sind derzeit nicht verfügbar.
Inhaltsangabe
Foreword xxvii Introduction xxix Part I General Advice 1 Chapter 1 Introductory Security Fundamentals 3 Assume All Other Systems and Data Are Insecure 3 The CIA Triad 4 Least Privilege 6 Secure Defaults/Paved Roads 8 Assume Breach / Plan For Failure 9 Zero Trust 9 Defense in Depth 10 Supply Chain Security 10 Security by Obscurity 11 Attack Surface Reduction 11 Usable Security 12 Fail Closed/Safe, Then Roll Back 12 Compliance, Laws, and Regulations 12 Security Frameworks 14 Learning from Mistakes and Sharing Those Lessons 16 Backward Compatibility (and Potential Risks It Introduces) 16 Threat Modeling 16 The Difficulty of Patching 17 Retesting Fixes for New Security Bugs 18 Chapter Exercises 19 Chapter 2 Beginning 21 Follow a Secure System Development Life Cycle 21 Use a Modern Framework and All Available Security Features Within 22 Input Validation 23 Output Encoding 26 Examples of Output Encoding 27 HTML Context 28 JavaScript Context 28 Parameterized Queries and ORMs 29 Authentication and Identity 31 Authorization and Access Control 32 Access Control Models 33 Logical Access Control Methods (Implementation) 34 Session Management 34 Secret Management 35 Password Management 37 Communication Security (Cryptography and HTTPS Only) 39 Protecting Sensitive Data 40 Security Headers 43 New Security Header Features 43 Fetch Metadata Request Headers 43 Content Security Policy Header 44 Strict-Dynamic 44 Trusted-Types 44 Security Headers Previously Covered 44 Content-Security-Policy Header 45 HTTP Strict-Transport-Security 45 X-Frame-Options 45 X-Content-Type-Options 45 Permissions Policy 46 Expect-CT 46 Referrer-Policy 46 Public Key Pinning Extension for HTTP (HPKP) 46 X-XSS-Protection 46 More New Headers 46 Same-Origin Policy 47 COEP: Cross-Origin Embedder Policy 47 COOP: Cross-Origin Opener Policy 48 CORP: Cross-Origin Resource Policy 48 CORS: Cross-Origin Resource Sharing 48 CORB: Cross-Origin Read Blocking 49 Secure Cookies 50 Error Handling 51 Chapter Exercises 52 Chapter 3 Improving 55 Database Security 56 Four Perspectives for Protecting Databases 56 File Management 59 File Uploads 61 Your Source Code 62 Memory Management (Buffer, Stack, String, and Integer Overflows) 63 How Do We Avoid Overflows? 64 (De)Serialization 66 Privacy (User/Citizen/Customer/Employee) 67 Errors 69 Logging, Monitoring, and Alerting 72 Fail Closed 73 Locking Resources 73 Enabling Password Managers 74 Cryptographic Practices 75 Strongly Typed Languages 76 Strongly Typed Languages 76 Weakly Typed Programming Languages 77 Domain-Driven Development 78 Memory-Safe Languages 79 Chapter Exercises 80 Chapter 4 Achieving 81 Secure Design 82 How much is "enough" (design) security? 84 Dependency Management and Supply Chain Security 85 Dependency Security 86 Checking If Dependencies Are Safe to Use 87 Supply Chain Security 87 Secure Defaults 90 Secure Defaults for Users 90 Secure Defaults for Developers 92 Readable and Auditable Code 93 Important Functions Happen on Trusted Systems 96 What Is an "Untrusted" System? 96 What Are "Important Functions"? 97 Putting It Together 97 Allowlists versus Blocklists 97 Why Are Block Lists Bad? 98 How Do We Create an Allowlist? 98 Secure Configurations 99 Hostname Validation 100 Reusable Code 100 Safe System Calls 102 Mitigating Circumstances 102 Commenting and Other Documentation 102 Comments 103 Documentation 104 Verification of User Consent 106 Integrity Checks, Code Signing, and Immutable Builds 107 Immutable Builds 108 Avoiding Brute Force 109 Security Controls 110 Handling Elevated Privileges 111 Security Maintenance 112 Repaying Technical Debt 113 Chapter Exercises 114 Summary of Part I 117 Checklist of General Secure Coding Advice 117 Part II Specific Advice 125 Chapter 5 Technology-Specific 127 API Security Best Practices 127 Mobile Application Security Best Practices 134 WebSocket Security Best Practices 137 Serverless Security Best Practices 138 IoT Security Best Practices 140 Chapter Exercises 141 Chapter 6 Popular Programming Languages 143 JavaScript 143 Html/css 148 HTML5, Specifically 149 Python 151 Sql 154 Node.js 157 Java 160 Serialization in Java 164 TypeScript 165 C# 166 Php 170 C/c++ 175 Conclusion 178 Chapter Exercises 179 Chapter 7 Popular Frameworks 181 Web and JavaScript 181 Express 182 React.js 184 Angular 186 jQuery 190 Vue.js 192 Other Frameworks and Libraries 194 .NET (Core) 194 RubyonRails 199 Spring and Spring Boot 204 Flask 207 Chapter Exercises 210 Chapter 8 Vulnerability Categories 211 Design Flaws / Logic Flaws 212 How Does This Happen? 213 The Risk 213 Prevention 214 Code Bugs / Implementation Errors 215 How Does This Happen? 215 The Risk 215 Prevention 215 Overflows and Other Memory Issues 216 Overflows 216 Buffer Overreads 217 Invalid Page Faults 217 Use After Free 218 Uninitialized Variables 218 Memory Leaks 218 How Does This Happen? 219 The Risk 219 Prevention 219 Injection: Interpreter and Compiler Issues 220 How Does This Happen? 221 The Risk 221 Prevention 221 Input Issues 222 How Does This Happen? 223 The Risk 223 Prevention 223 Authentication and Identity Issues 223 How Does This Happen? 224 The Risk 224 Prevention 224 Authorization and Access Issues 225 How Does This Happen? 225 Configuration and Implementation Issues 225 How Does This Happen? 226 The Risk 226 Prevention 226 Fraudulent Transactions 227 How Does This Happen? 227 The Risk 227 Prevention 228 Replay Attacks 228 How Does This Happen? 228 The Risk 229 Prevention 229 Crossing Trust Boundaries 229 How Does This Happen? 230 The Risk 230 Prevention 230 File Handling Issues 230 How Does This Happen? 231 The Risk 231 Prevention 231 Object Handling Issues 232 Prominent Features of OOP 232 Deserialization and Other Object Handling Issues 234 How Does This Happen? 234 The Risk 234 Prevention 234 Secrets Management Issues 235 How Does This Happen? 236 The Risk 236 Prevention 236 Race Conditions and Timing Issues 237 How Does This Happen? 237 The Risk 238 Prevention 238 Resource Issues 240 How Does This Happen? 240 The Risk 241 Prevention 241 Falling into an Unknown State 241 How Does This Happen? 242 The Risk 242 Prevention 242 Chapter Exercises 243 Summary of Part II 245 Checklist of Technology-Specific Secure Coding Advice 245 Checklist of Secure Coding Advice for Languages and Frameworks 246 Summary of Vulnerability Issues to Watch For 248 Part III Secure System Development Life Cycle 251 Chapter 9 Requirements 253 Project Kick-Off: Outline of Your Project's Security Activities 253 Project Scheduling and Planning 254 Security Requirements 255 Chapter Exercises 257 Chapter 10 Design 259 Threat Modeling 260 Secure Design Patterns and Concepts 262 Architecture Whiteboarding 263 Examining Data Flows 263 Security User Stories 264 Chapter Exercises 265 Chapter 11 Coding 267 Training 267 Organizations 269 Individuals 270 Code Review 270 First- and Second-Generation Static Analysis Tools 271 Secure Guardrails 272 IDE Plugins and Other Guidance 273 Verifying That Your Dependencies Are Safe (SCA) 274 How Do You Decide Which Dependencies Are Worth Updating or Changing? 274 Finding and Managing Secrets 275 Dynamic Testing (DAST) 276 Chapter Exercises 278 Chapter 12 Testing 279 Test Coverage and Timing 280 Depth Versus Coverage 281 Scanning Your Infrastructure 281 Production or Lower-Level Environments 281 Scoping 282 Timing 282 Manual Testing 284 Automated Testing 286 Fuzzing 287 Interactive Application Security Testing (IAST) 288 Bug Bounty Programs 289 Test Results 290 Actioning Test Results 291 Final Thoughts 293 Chapter Exercises 293 Chapter 13 Release/Deployment 295 Security Events Within the CI/CD 296 Breaking the Build 297 Secret Scanning 298 Static Analysis 298 Dynamic Analysis 298 Software Composition Analysis 299 Linting 299 Infrastructure as Code scanners 299 Securing the CI/CD Pipeline Itself 299 Assuring the Integrity of Your Release 302 Security Release Approval 303 Chapter Exercises 304 Chapter 14 Maintenance 305 Monitoring, Alerting, and Observability 306 Blocking/Shielding 308 Web Application Firewalls (WAFs) 309 Content Delivery Networks (CDNs) 309 Runtime Application Self-Protection (RASP) 310 Virtual Patching 310 API Gateways 310 A Special Note for Data Scientists 311 Continuous Testing 312 Security Incidents 313 Business Continuity and Disaster Recovery Planning 315 Chapter Exercises 317 Chapter 15 Conclusion 319 Good Habits 319 Your Responsibility 322 How Much Is Enough? 323 Using Artificial Intelligence Safely 325 Continuous Learning 327 Becoming a Champion 328 Getting Others on Board 330 Transitioning onto the Security Team 330 Applying for Security Jobs Outside of Your Organization 331 Conclusion 335 Summary of Part III 339 Checklist of Security Activities for Each Phase of the SDLC 339 Appendix A Resources 343 Chapter 1: Introductory Security Fundamentals 343 Chapter 2: Beginning 344 Chapter 3: Improving 345 Chapter 4: Achieving 347 Chapter 5: Technology-Specific 349 Chapter 6: Popular Programming Languages 351 Chapter 7: Popular Frameworks 355 Chapter 8: Vulnerability Categories 357 Chapter 10: Design 359 Chapter 11: Coding 359 Chapter 12: Testing 359 Chapter 13: Release/Deployment 360 Chapter 14: Maintenance 360 Appendix B Answer Keys 361 Chapter 1: Introductory Security Fundamentals 361 Chapter 2: Beginning 363 Chapter 3: Improving 364 Chapter 4: Achieving 365 Chapter 5: Technology-Specific 368 Chapter 8: Vulnerability Categories 370 Chapter 9: Requirements 371 Chapter 11: Coding 372 Chapter 12: Testing 373 Chapter 13: Release/Deployment 374 Chapter 14: Maintenance 375 Index 377
Foreword xxvii Introduction xxix Part I General Advice 1 Chapter 1 Introductory Security Fundamentals 3 Assume All Other Systems and Data Are Insecure 3 The CIA Triad 4 Least Privilege 6 Secure Defaults/Paved Roads 8 Assume Breach / Plan For Failure 9 Zero Trust 9 Defense in Depth 10 Supply Chain Security 10 Security by Obscurity 11 Attack Surface Reduction 11 Usable Security 12 Fail Closed/Safe, Then Roll Back 12 Compliance, Laws, and Regulations 12 Security Frameworks 14 Learning from Mistakes and Sharing Those Lessons 16 Backward Compatibility (and Potential Risks It Introduces) 16 Threat Modeling 16 The Difficulty of Patching 17 Retesting Fixes for New Security Bugs 18 Chapter Exercises 19 Chapter 2 Beginning 21 Follow a Secure System Development Life Cycle 21 Use a Modern Framework and All Available Security Features Within 22 Input Validation 23 Output Encoding 26 Examples of Output Encoding 27 HTML Context 28 JavaScript Context 28 Parameterized Queries and ORMs 29 Authentication and Identity 31 Authorization and Access Control 32 Access Control Models 33 Logical Access Control Methods (Implementation) 34 Session Management 34 Secret Management 35 Password Management 37 Communication Security (Cryptography and HTTPS Only) 39 Protecting Sensitive Data 40 Security Headers 43 New Security Header Features 43 Fetch Metadata Request Headers 43 Content Security Policy Header 44 Strict-Dynamic 44 Trusted-Types 44 Security Headers Previously Covered 44 Content-Security-Policy Header 45 HTTP Strict-Transport-Security 45 X-Frame-Options 45 X-Content-Type-Options 45 Permissions Policy 46 Expect-CT 46 Referrer-Policy 46 Public Key Pinning Extension for HTTP (HPKP) 46 X-XSS-Protection 46 More New Headers 46 Same-Origin Policy 47 COEP: Cross-Origin Embedder Policy 47 COOP: Cross-Origin Opener Policy 48 CORP: Cross-Origin Resource Policy 48 CORS: Cross-Origin Resource Sharing 48 CORB: Cross-Origin Read Blocking 49 Secure Cookies 50 Error Handling 51 Chapter Exercises 52 Chapter 3 Improving 55 Database Security 56 Four Perspectives for Protecting Databases 56 File Management 59 File Uploads 61 Your Source Code 62 Memory Management (Buffer, Stack, String, and Integer Overflows) 63 How Do We Avoid Overflows? 64 (De)Serialization 66 Privacy (User/Citizen/Customer/Employee) 67 Errors 69 Logging, Monitoring, and Alerting 72 Fail Closed 73 Locking Resources 73 Enabling Password Managers 74 Cryptographic Practices 75 Strongly Typed Languages 76 Strongly Typed Languages 76 Weakly Typed Programming Languages 77 Domain-Driven Development 78 Memory-Safe Languages 79 Chapter Exercises 80 Chapter 4 Achieving 81 Secure Design 82 How much is "enough" (design) security? 84 Dependency Management and Supply Chain Security 85 Dependency Security 86 Checking If Dependencies Are Safe to Use 87 Supply Chain Security 87 Secure Defaults 90 Secure Defaults for Users 90 Secure Defaults for Developers 92 Readable and Auditable Code 93 Important Functions Happen on Trusted Systems 96 What Is an "Untrusted" System? 96 What Are "Important Functions"? 97 Putting It Together 97 Allowlists versus Blocklists 97 Why Are Block Lists Bad? 98 How Do We Create an Allowlist? 98 Secure Configurations 99 Hostname Validation 100 Reusable Code 100 Safe System Calls 102 Mitigating Circumstances 102 Commenting and Other Documentation 102 Comments 103 Documentation 104 Verification of User Consent 106 Integrity Checks, Code Signing, and Immutable Builds 107 Immutable Builds 108 Avoiding Brute Force 109 Security Controls 110 Handling Elevated Privileges 111 Security Maintenance 112 Repaying Technical Debt 113 Chapter Exercises 114 Summary of Part I 117 Checklist of General Secure Coding Advice 117 Part II Specific Advice 125 Chapter 5 Technology-Specific 127 API Security Best Practices 127 Mobile Application Security Best Practices 134 WebSocket Security Best Practices 137 Serverless Security Best Practices 138 IoT Security Best Practices 140 Chapter Exercises 141 Chapter 6 Popular Programming Languages 143 JavaScript 143 Html/css 148 HTML5, Specifically 149 Python 151 Sql 154 Node.js 157 Java 160 Serialization in Java 164 TypeScript 165 C# 166 Php 170 C/c++ 175 Conclusion 178 Chapter Exercises 179 Chapter 7 Popular Frameworks 181 Web and JavaScript 181 Express 182 React.js 184 Angular 186 jQuery 190 Vue.js 192 Other Frameworks and Libraries 194 .NET (Core) 194 RubyonRails 199 Spring and Spring Boot 204 Flask 207 Chapter Exercises 210 Chapter 8 Vulnerability Categories 211 Design Flaws / Logic Flaws 212 How Does This Happen? 213 The Risk 213 Prevention 214 Code Bugs / Implementation Errors 215 How Does This Happen? 215 The Risk 215 Prevention 215 Overflows and Other Memory Issues 216 Overflows 216 Buffer Overreads 217 Invalid Page Faults 217 Use After Free 218 Uninitialized Variables 218 Memory Leaks 218 How Does This Happen? 219 The Risk 219 Prevention 219 Injection: Interpreter and Compiler Issues 220 How Does This Happen? 221 The Risk 221 Prevention 221 Input Issues 222 How Does This Happen? 223 The Risk 223 Prevention 223 Authentication and Identity Issues 223 How Does This Happen? 224 The Risk 224 Prevention 224 Authorization and Access Issues 225 How Does This Happen? 225 Configuration and Implementation Issues 225 How Does This Happen? 226 The Risk 226 Prevention 226 Fraudulent Transactions 227 How Does This Happen? 227 The Risk 227 Prevention 228 Replay Attacks 228 How Does This Happen? 228 The Risk 229 Prevention 229 Crossing Trust Boundaries 229 How Does This Happen? 230 The Risk 230 Prevention 230 File Handling Issues 230 How Does This Happen? 231 The Risk 231 Prevention 231 Object Handling Issues 232 Prominent Features of OOP 232 Deserialization and Other Object Handling Issues 234 How Does This Happen? 234 The Risk 234 Prevention 234 Secrets Management Issues 235 How Does This Happen? 236 The Risk 236 Prevention 236 Race Conditions and Timing Issues 237 How Does This Happen? 237 The Risk 238 Prevention 238 Resource Issues 240 How Does This Happen? 240 The Risk 241 Prevention 241 Falling into an Unknown State 241 How Does This Happen? 242 The Risk 242 Prevention 242 Chapter Exercises 243 Summary of Part II 245 Checklist of Technology-Specific Secure Coding Advice 245 Checklist of Secure Coding Advice for Languages and Frameworks 246 Summary of Vulnerability Issues to Watch For 248 Part III Secure System Development Life Cycle 251 Chapter 9 Requirements 253 Project Kick-Off: Outline of Your Project's Security Activities 253 Project Scheduling and Planning 254 Security Requirements 255 Chapter Exercises 257 Chapter 10 Design 259 Threat Modeling 260 Secure Design Patterns and Concepts 262 Architecture Whiteboarding 263 Examining Data Flows 263 Security User Stories 264 Chapter Exercises 265 Chapter 11 Coding 267 Training 267 Organizations 269 Individuals 270 Code Review 270 First- and Second-Generation Static Analysis Tools 271 Secure Guardrails 272 IDE Plugins and Other Guidance 273 Verifying That Your Dependencies Are Safe (SCA) 274 How Do You Decide Which Dependencies Are Worth Updating or Changing? 274 Finding and Managing Secrets 275 Dynamic Testing (DAST) 276 Chapter Exercises 278 Chapter 12 Testing 279 Test Coverage and Timing 280 Depth Versus Coverage 281 Scanning Your Infrastructure 281 Production or Lower-Level Environments 281 Scoping 282 Timing 282 Manual Testing 284 Automated Testing 286 Fuzzing 287 Interactive Application Security Testing (IAST) 288 Bug Bounty Programs 289 Test Results 290 Actioning Test Results 291 Final Thoughts 293 Chapter Exercises 293 Chapter 13 Release/Deployment 295 Security Events Within the CI/CD 296 Breaking the Build 297 Secret Scanning 298 Static Analysis 298 Dynamic Analysis 298 Software Composition Analysis 299 Linting 299 Infrastructure as Code scanners 299 Securing the CI/CD Pipeline Itself 299 Assuring the Integrity of Your Release 302 Security Release Approval 303 Chapter Exercises 304 Chapter 14 Maintenance 305 Monitoring, Alerting, and Observability 306 Blocking/Shielding 308 Web Application Firewalls (WAFs) 309 Content Delivery Networks (CDNs) 309 Runtime Application Self-Protection (RASP) 310 Virtual Patching 310 API Gateways 310 A Special Note for Data Scientists 311 Continuous Testing 312 Security Incidents 313 Business Continuity and Disaster Recovery Planning 315 Chapter Exercises 317 Chapter 15 Conclusion 319 Good Habits 319 Your Responsibility 322 How Much Is Enough? 323 Using Artificial Intelligence Safely 325 Continuous Learning 327 Becoming a Champion 328 Getting Others on Board 330 Transitioning onto the Security Team 330 Applying for Security Jobs Outside of Your Organization 331 Conclusion 335 Summary of Part III 339 Checklist of Security Activities for Each Phase of the SDLC 339 Appendix A Resources 343 Chapter 1: Introductory Security Fundamentals 343 Chapter 2: Beginning 344 Chapter 3: Improving 345 Chapter 4: Achieving 347 Chapter 5: Technology-Specific 349 Chapter 6: Popular Programming Languages 351 Chapter 7: Popular Frameworks 355 Chapter 8: Vulnerability Categories 357 Chapter 10: Design 359 Chapter 11: Coding 359 Chapter 12: Testing 359 Chapter 13: Release/Deployment 360 Chapter 14: Maintenance 360 Appendix B Answer Keys 361 Chapter 1: Introductory Security Fundamentals 361 Chapter 2: Beginning 363 Chapter 3: Improving 364 Chapter 4: Achieving 365 Chapter 5: Technology-Specific 368 Chapter 8: Vulnerability Categories 370 Chapter 9: Requirements 371 Chapter 11: Coding 372 Chapter 12: Testing 373 Chapter 13: Release/Deployment 374 Chapter 14: Maintenance 375 Index 377
Es gelten unsere Allgemeinen Geschäftsbedingungen: www.buecher.de/agb
Impressum
www.buecher.de ist ein Internetauftritt der buecher.de internetstores GmbH
Geschäftsführung: Monica Sawhney | Roland Kölbl | Günter Hilger
Sitz der Gesellschaft: Batheyer Straße 115 - 117, 58099 Hagen
Postanschrift: Bürgermeister-Wegele-Str. 12, 86167 Augsburg
Amtsgericht Hagen HRB 13257
Steuernummer: 321/5800/1497
USt-IdNr: DE450055826
