Alice and Bob Learn Application Security

Tanya Janca, also known as SheHacksPurple, is the founder of We Hack Purple, an online learning academy dedicated to teaching everyone how to create secure software. With over twenty years of IT and coding experience, she has won numerous awards and worked as a developer, pentester, and AppSec Engineer. She was named Hacker of the Year by the Cybersecurity Woman of the Year 2019 Awards and is the Founder of WoSEC International, #CyberMentoringMonday, and OWASP DevSlop.

Foreword xxi

Introduction xxiii

Part I What You Must Know to Write Code Safe Enough to Put on the Internet 1

Chapter 1 Security Fundamentals 3

The Security Mandate: CIA 3

Confidentiality 4

Integrity 5

Availability 5

Assume Breach 7

Insider Threats 8

Defense in Depth 9

Least Privilege 11

Supply Chain Security 11

Security by Obscurity 13

Attack Surface Reduction 14

Hard Coding 15

Never Trust, Always Verify 15

Usable Security 17

Factors of Authentication 18

Exercises 20

Chapter 2 Security Requirements 21

Requirements 22

Encryption 23

Never Trust System Input 24

Encoding and Escaping 28

Third-Party Components 29

Security Headers: Seatbelts for Web Apps 31

Security Headers in Action 32

X-XSS-Protection 32

Content-Security-Policy (CSP) 32

X-Frame-Options 35

X-Content-Type-Options 36

Referrer-Policy 36

Strict-Transport-Security (HSTS) 37

Feature-Policy 38

X-Permitted-Cross-Domain-Policies 39

Expect-CT 39

Public Key Pinning Extension for HTTP (HPKP) 41

Securing Your Cookies 42

The Secure Flag 42

The HttpOnly Flag 42

Persistence 43

Domain 43

Path 44

Same-Site 44

Cookie Prefixes 45

Data Privacy 45

Data Classification 45

Passwords, Storage, and Other Important Decisions 46

HTTPS Everywhere 52

TLS Settings 53

Comments 54

Backup and Rollback 54

Framework Security Features 54

Technical Debt = Security Debt 55

File Uploads 56

Errors and Logging 57

Input Validation and Sanitization 58

Authorization and Authentication 59

Parameterized Queries 59

URL Parameters 60

Least Privilege 60

Requirements Checklist 61

Exercises 63

Chapter 3 Secure Design 65

Design Flaw vs. Security Bug 66

Discovering a Flaw Late 67

Pushing Left 68

Secure Design Concepts 68

Protecting Sensitive Data 68

Never Trust, Always Verify/Zero Trust/Assume Breach 70

Backup and Rollback 71

Server-Side Security Validation 73

Framework Security Features 74

Security Function Isolation 74

Application Partitioning 75

Secret Management 76

Re-authentication for Transactions (Avoiding CSRF) 76

Segregation of Production Data 77

Protection of Source Code 77

Threat Modeling 78

Exercises 82

Chapter 4 Secure Code 83

Selecting Your Framework and Programming Language 83

Example #1 85

Example #2 85

Example #3 86

Programming Languages and Frameworks: The Rule 87

Untrusted Data 87

HTTP Verbs 89

Identity 90

Session Management 91

Bounds Checking 93

Authentication (AuthN) 94

Authorization (AuthZ) 96

Error Handling, Logging, and Monitoring 99

Rules for Errors 100

Logging 100

Monitoring 101

Exercises 103

Chapter 5 Common Pitfalls 105

OWASP 105

Defenses and Vulnerabilities Not Previously Covered 109

Cross-Site Request Forgery 110

Server-Side Request Forgery 112

Deserialization 114

Race Conditions 115

Closing Comments 117

Exercises 117

Part II What You Should Do to Create Very Good Code 119

Chapter 6 Testing and Deployment 121

Testing Your Code 121

Code Review 122

Static Application Security Testing (SAST) 123

Software Composition Analysis (SCA) 125

Unit Tests 126

Infrastructure as Code (IaC) and Security as Code (SaC) 128

Testing Your Application 129

Manual Testing 130

Browsers 131

Developer Tools 131

Web Proxies 132

Fuzzing 133

Dynamic Application Security Testing (DAST) 133

VA/Security Assessment/PenTest 135

Testing Your Infrastructure 141

Testing Your Database 141

Testing Your APIs and Web Services 142

Testing Your Integrations 143

Testing Your Network 144

Deployment 145

Editing Code Live on a Server 146

Publishing from an IDE 146

“Homemade” Deployment Systems 147

Run Books 148

Contiguous Integration/Continuous Delivery/Continuous Deployment 148

Exercises 149

Chapter 7 An AppSec Program 151

Application Security Program Goals 152

Creating and Maintaining an Application Inventory 153

Capability to Find Vulnerabilities in Written, Running, and Third-Party Code 153

Knowledge and Resources to Fix the Vulnerabilities 154

Education and Reference Materials 155

Providing Developers with Security Tools 155

Having One or More Security Activities During Each Phase of Your SDLC 156

Implementing Useful and Effective Tooling 157

An Incident Response Team That Knows When to Call You 157

Continuously Improve Your Program Based on Metrics, Experimentation, and Feedback 159

Metrics 159

Experimentation 161

Feedback from Any and All Stakeholders 161

A Special Note on DevOps and Agile 162

Application Security Activities 162

Application Security Tools 164

Your Application Security Program 165

Exercises 166

Chapter 8 Securing Modern Applications and Systems 167

APIs and Microservices 168

Online Storage 171

Containers and Orchestration 172

Serverless 174

Infrastructure as Code (IaC) 175

Security as Code (SaC) 177

Platform as a Service (PaaS) 178

Infrastructure as a Service (IaaS) 179

Continuous Integration/Delivery/Deployment 180

Dev(Sec)Ops 180

DevSecOps 182

The Cloud 183

Cloud Computing 183

Cloud Native 184

Cloud Native Security 185

Cloud Workflows 185

Modern Tooling 186

IAST Interactive Application Security Testing 186

Runtime Application Security Protection 187

File Integrity Monitoring 187

Application Control Tools (Approved Software Lists) 187

Security Tools Created for DevOps Pipelines 188

Application Inventory Tools 188

Least Privilege and Other Policy Automation 189

Modern Tactics 189

Summary 191

Exercises 191

Part III Helpful Information on How to Continue to Create Very Good Code 193

Chapter 9 Good Habits 195

Password Management 196

Remove Password Complexity Rules 196

Use a Password Manager 197

Passphrases 198

Don’t Reuse Passwords 198

Do Not Implement Password Rotation 199

Multi-Factor Authentication 199

Incident Response 200

Fire Drills 201

Continuous Scanning 202

Technical Debt 202

Inventory 203

Other Good Habits 204

Policies 204

Downloads and Devices 204

Lock Your Machine 204

Privacy 205

Summary 206

Exercises 206

Chapter 10 Continuous Learning 207

What to Learn 208

Offensive = Defensive 208

Don’t Forget Soft Skills 208

Leadership != Management 209

Learning Options 209

Accountability 212

Create Your Plan 213

Take Action 214

Exercises 214

Learning Plan 216

Chapter 11 Closing Thoughts 217

Lingering Questions 218

When Have You Done Enough? 218

How Do You Get Management on Board? 220

How Do You Get Developers on Board? 221

Where Do You Start? 222

Where Do You Get Help? 223

Conclusion 223

Appendix A Resources 225

Introduction 225

Chapter 1: Security Fundamentals 225

Chapter 2: Security Requirements 226

Chapter 3: Secure Design 227

Chapter 4: Secure Code 228

Chapter 5: Common Pitfalls 228

Chapter 6: Testing and Deployment 229

Chapter 7: An AppSec Program 229

Chapter 8: Securing Modern Applications and Systems 230

Chapter 9: Good Habits 231

Chapter 10: Continuous Learning 231

Appendix B Answer Key 233

Chapter 1: Security Fundamentals 233

Chapter 2: Security Requirements 235

Chapter 3: Secure Design 236

Chapter 4: Secure Code 238

Chapter 5: Common Pitfalls 241

Chapter 6: Testing and Deployment 242

Chapter 7: An AppSec Program 244

Chapter 8: Securing Modern Applications and Systems 245

Chapter 9: Good Habits 247

Chapter 10: Continuous Learning 248

Index 249