97 Things Every Application Security Professional Should Know - Helion

ebook

Autor: Reet Kaur, Yabing Wang
ISBN: 9781098152130
stron: 310, Format: ebook
Data wydania: 2024-06-25
Księgarnia: Helion

Cena książki: 152,15 zł (poprzednio: 187,84 zł)
Oszczędzasz: 19% (-35,69 zł)

Osoby, które kupiły tę książkę, wybierały także »

As technology continues to advance and more business is conducted online, the potential attack surface increases exponentially and the need for strong application security measures become more and more crucial. This goes double for any organization that handles sensitive personal or financial information which is usually subject to government regulation. The consequences of a successful attack at the application level can be devastating for an organization, ranging from loss of revenue, to damaged reputation, to potential fines and other penalties.

This book also introduces you to:

What's considered application security and what security professionals should know
What developers or software engineers should know about common application vulnerabilities
How to design, develop, and test applications so that the application or software is able to defend against exploits and attacks
Ways to provide readers with fresh perspectives, various insights, and many practical ways to address cyber security related to application development

This advice can be applied in development for web, mobile, APIs or other software development, in different development languages, in waterfall and agile software development lifecycle (SDLC), and in the cloud.

Osoby które kupowały "97 Things Every Application Security Professional Should Know", wybierały także:

Windows Media Center. Domowe centrum rozrywki 66,67 zł, (8,00 zł -88%)
Ruby on Rails. Ćwiczenia 18,75 zł, (3,00 zł -84%)
Przywództwo w świecie VUCA. Jak być skutecznym liderem w niepewnym środowisku 58,64 zł, (12,90 zł -78%)
Scrum. O zwinnym zarządzaniu projektami. Wydanie II rozszerzone 58,64 zł, (12,90 zł -78%)
Od hierarchii do turkusu, czyli jak zarządzać w XXI wieku 58,64 zł, (12,90 zł -78%)

Spis treści

97 Things Every Application Security Professional Should Know eBook -- spis treści

Preface
- OReilly Online Learning
- How to Contact Us
- Acknowledgments
I. Program & Practice
1. Secure Code for Tomorrows Technology
- Alyssa Columbus
2. Pragmatic Advice for Building an Application Security Program
- Andres Andreu
3. AppSec Must Lead
- Brook S.E. Schoenfield
4. Solving Problems for Application Security
- Caroline Wong
5. Securing Your Enterprise Applications
- Chadi Saliby
6. Developers as Partners in Application Security Strategy
- Christian Ghigliotty
7. Be an Awesome Sidekick
- Daniel Ting
  - Its About Them, Not You.
  - Balanced Priorities (and Constraints)
  - Easier Is Easier
8. Understanding the True Boundaries of Modern Applications
- Erkang Zheng
  - Components
  - Infrastructure
  - Ownership
  - The Foundation of Modern Cybersecurity
9. Common Best Practices in Application Security
- Laxmidhar V. Gaopande
  - Code Scanning and Reviews
  - Leverage AI for Better Detection and Automation
  - Build a Bug Bounty Program
10. AppSec Is a People ProblemNot a Technical One
- Mark S. Merkow
11. Empowering Application Security Professionals Through Cybersecurity Education
- Michael Bray
12. Why You Need a Practical Security Champions Program
- Michael Xin and Sandeep Kumar Singh
13. The Human Firewall: Combat Enemies by Improving Your Security-Oriented Culture
- Periklis Gkolias
  - Recognizing External Threats
  - Recognizing Insider Threats
  - Empowering Employees Through Education
  - Promoting Open Communication
  - Engaging Leadership
  - Conducting Regular Security Drills
  - Rewarding and Recognizing Secure Behavior
14. Shifting Everywhere in Application Security
- Sounil Yu
  - The Changing Landscape of Application Security
  - The Traditional Shift Left Paradigm
  - The Role of Infrastructure and Automation
  - Re-envisioning Application Security
15. Beyond Barriers: Navigating the Path to a Successful AppSec Program
- Yabing Wang
  - What Are the Core Components of the AppSec Program?
  - What Are the Success Factors of the AppSec Program?
II. Secure SDLC
16. Building an Application Security Preparation Mindset
- Andrew King
  - Mindset: How Can You Prepare?
  - Logging and Monitoring: Do You See What Happened?
  - Scope: Can You Do It All?
  - Best Practices: Can You Borrow from Others Experience?
17. How to Assess Security Mindset in Application Design
- Anuj Parekh
18. Getting Your Application Ready for the Enterprise
- Ayman Elsawah
  - Enterprise Single Sign-On
    - Roles and Access Controls
    - Audit Logging
19. Reductio Ad Applicationem Securitatis
- Darryle Merlette
  - Read
  - Write
  - Change
20. Automating the Risk Calculation of Modern Applications
- Erkang Zheng
  - Design and Business Context
  - Technology Implementation and Operations
  - Maturity of Team and Process
21. A Coordinated Approach to a Successful DevSecOps Program
- Han Lievens
22. What Makes Someone a Developer?
- Helen Umberger
23. Total AppSec
- Hussain Syed
24. Youre More Than Your Job
- Izar Tarandach
25. TAP Into the Potential of a Great SSDLC Program with Automation
- Jyothi Charyulu
  - Think
  - Act
  - Persevere
26. Vulnerability Researcher to Software Developer: The Other Side of the Coin
- Larry W. Cashdollar
27. Strategies for Adding Security Rituals to an Existing SDLC
- Laura Bell Main
  - You Cant Change What You Dont Understand
  - Start with Experiments, Not Solutions
  - Create a Rollout Plan with the Engineering Team
  - Collaboration Is the Key
28. Challenges and Considerations for Securing Serverless Applications
- Manasés Jesús
29. Using Offensive Security to Defend Your Application
- Nathaniel Shere
  - Helpful Response Messages
  - API Endpoints
  - Administrative Features
30. Beyond No: The Modern Paradigm of Developer-Centric Application Security
- Nielet Dmello
31. Security Paved Roads
- Nielet Dmello
  - What Are Security Paved Roads?
  - How to Decide What Security Paved Roads Are Needed?
  - Adoption and Effectiveness
  - Product-Centric Approach and Feedback Loops
  - Conclusion
32. AppSec in the Cloud Era
- Sandeep Kumar Singh
  - Learn Shared Responsibility Model
  - Secure Configurations
  - Continuous Logging and Monitoring
  - Data Protection in Multitenant Environments
  - Adopt Cloud Security Services
  - Conclusion
33. Code Provenance for DevSecOps
- Yashvier Kosaraju
III. Data Security & Privacy
34. Will Passwordless Authentication Save Your Application?
- Aldo Salas
  - Passwordless and WebAuthn
  - Passwordless Pros and Cons
  - Passwordless Vulnerabilities
  - Other Recommendations
35. Securing Your Databases: The Importance of Proper Access Controls and Audits
- Dave Stokes
36. DataSecOps: Security in Data Products
- Diogo Miyake
37. Data Security Code and Tests
- Diogo Miyake
38. Data Security Starts with Good Governance
- Lauren Maffeo
39. Protect Sensitive Data in Modern Applications
- Louisa Wang
  - Learn Key Management
  - Security Needs During the Data Life Cycle Vary
  - Design and Implement a Combination of Technical and Administrative Controls
  - Insights and Security Recommendations
40. Leverage Data-Flow Analysis in Your Security Practices
- Manuel Walder
41. Embracing a Practical Privacy Paradigm Shift in App Development
- Maria Nichole Schwenger
  - The Paradox of Privacy and Innovation in Data Security
  - Reconceptualizing Data Ownership
  - Leveraging Privacy-Enhancing Technologies
  - Transparency and Informed Consent
  - Data Minimization and Purpose Limitation
  - Exploring Decentralized Data Storage
  - Data Privacy as a Competitive Advantage
  - In a Nutshell
42. Quantum-Safe Encryption Algorithms
- Rakesh Kulkarni
43. Application Integration Security
- Sausan Yazji
IV. Code Scanning & Testing
44. Modern Approach to Software Composition Analysis: Call Graph and Runtime SCA
- Aruneesh Salhotra
  - Traditional Approach to SCA
  - Modern Approach to Manage Open Source Risks
    - Call Graphs
  - Runtime SCA
  - Summary
45. Application Security Testing
- David Lindner
  - Static Application Security Testing
  - Dynamic Application Security Testing
  - Interactive Application Security Testing
46. WAF and RASP
- David Lindner
  - Web Application Firewalls
  - Runtime Application Self-Protection
47. Zero Trust Software Architecture
- Jacqueline Pitter
48. Rethinking Ethics in Application Security: Toward a Sustainable Digital Future
- Pragat Patel
49. Modern WAF Deployment and Management Paradigms
- Raj Badhwar
  - On Premises WAF Infrastructure for Hybrid Cloud
  - Cloud Native WAF Infrastructure for the Public Cloud
  - Managed WAF Services
50. Do You Need Manual Penetration Testing?
- Shawn Evans
51. Bash Your Head
- Shawn Evans
52. Exploring Application Security Through Static Analysis
- Tanya Janca
53. Introduction to CI/CD Pipelines and Associated Risks
- Tyler Young
V. Vulnerability Management
54. Demystifying Bug Bounty Programs
- Aldo Salas
  - Preparing the Test Environment
  - Testing in Production
  - Recommendations
55. EPSS: A Modern Approach to Vulnerability Management
- Aruneesh Salhotra
  - Traditional Approaches Are Dated
  - The World of EPSS
  - Key Aspects of EPSS
56. Navigating the Waters of Vulnerability Management
- Luis Arzu
  - Understanding the Dynamic Landscape
  - Prioritization: The Art of Decision Making
  - Building Collaborative Relationships
  - Leveraging Robust Vulnerability Management Solutions
  - Conclusion
57. Safeguarding the Digital Nexus: Top 25 Parameters to Vulnerability Frequency
- Lütfü Mert Ceylan
  - Exploring Vulnerability Categories: A Profound Expedition to Parameter Frequencies
  - Empowering with Knowledge: The Path Forward
58. Unveiling Paths to Account Takeover: Web Cache to XSS Exploitation
- Lütfü Mert Ceylan
  - Discovery of Vulnerability
  - But What Is Reflected XSS Vulnerability?
  - Amplification Through Web Cache Exploitation
  - The Genesis of Account Takeover
  - Exploiting the Dynamics of Web Cache Poisoning
  - Mitigation and Beyond
59. Sometimes the Smallest Risks Can Cause the Greatest Destruction
- Lütfü Mert Ceylan
60. Effective Vulnerability Remediation Using EPSS
- Reet Kaur
61. Bug BountyShift Everywhere
- Sean Poris
VI. Software Supply Chain
62. Integrating Security into Open Source Dependencies
- Alyssa Columbus
  - Selecting Secure Open Source Libraries
  - Auditing and Hardening Open Source Dependencies
  - Staying Current with Vulnerability Management
  - Making Open Source Security a Priority
63. Supplier Relationship Management to Reduce Software Supply Chain Security Risk
- Cassie Crossley
64. Fortifying Open Source AI/ML Libraries: Garden of Security in Software Supply Chain
- Chloé Messdaghi
  - Dependency Scanning
  - CI/CD for AI and ML
  - Software Bill of Materials
  - Auditing and Verification
  - Community Collaboration
65. SBOM: Transparent, Sustainable Compliance
- Karen Walsh
  - Building Transparency
  - Designing Sustainably
  - Developing Compliantly
  - The Future of Secure, Compliant Application Ecosystem
66. Secure the Software Supply Chain Through Transparency
- Niels Tanis
67. Unlock the Secrets to Open Source Software Security
- Travis Felder
  - Invisible Open Source Software
  - Establishing an OSS Program
  - Open Source Software Security Pro Tips
  - Common Open Source Software Security Mistakes to Avoid
68. Leverage SBOMs to Enhance Your SSDLC
- Viraj Gandhi
VII. Threat Modeling
69. Learn to Threat Model
- Adam Shostack, Matthew Coles, and Izar Tarandach
70. Understanding OWASP Insecure Design and Unmasking Toxic Combinations
- Idan Plotnik
  - Understand the Implications of Insecure Design
  - Unmask the Toxic Combinations in Application Security
71. The Right Way to Threat Model
- Josh Brown
72. Attack Models in SSDLC
- Vinay Venkatesh
VIII. Threat Intelligence & Incident Response
73. In Denial of Your Services
- Allen West
74. Sifting for Botnets
- Allen West
75. Incident Response for Credential Stuffing Attacks
- Fayyaz Rajpari
76. Advanced Threat Intelligence Capabilities for Enhanced Application Security Defense
- Michael Freeman
IX. Mobile Security
77. Mobile Security: Domain and Best Practices
- Aruneesh Salhotra
  - Fundamentals
  - Supercharging Your CI/CD Pipeline with Security
  - Navigating Privacy Concerns in Mobile Application Development
78. Mobile Application Security Using Containerization
- Reet Kaur
X. API Security
79. API Security: JWE Encryption for Native Data Protection
- Andres Andreu
80. APIs Are Windows to the Soul
- Brook S.E. Schoenfield
  - Risks
  - Defenses
  - Access Management
  - Input Validation
81. API Security: The Bedrock of Modern Applications
- Charan Akiri
82. API Security Primer: Visibility
- Chenxi Wang
  - Visibility and Inventory
83. API Security Primer: Risk Assessment, Monitoring, and Detection
- Chenxi Wang
84. API Security Primer: Control and Management
- Chenxi Wang
XI. AI Security & Automation
85. LLMs Revolutionizing Application Security: Unleashing the Power of AI
- Alexander James Wold
  - LLMs and Static Application Security Testing
  - LLMs and Predictive Threat Hunting
  - Unique Advancement: LLMs and Intelligent Security Patching
  - Challenges and Considerations
  - Conclusion
86. Mitigating Bias and Unfairness in AI-Based Applications
- Angelica Lo Duca
  - Collaborate with Domain Experts
  - Improve Data Quality
  - Perform User Testing
87. Secure Development with Generative AI
- Heather Hinton
88. Managing the Risks of ChatGPT Integration
- Josh Brown
89. Automation, Automation, and Automation for AppSec
- Michael Xin
90. Will Generative and LLM Solve a 20-Year-Old Problem in Application Security?
- Neatsun Ziv
91. Understand the Risks of Using AI in Application Development
- Yasir Ali
  - Main Risk Categories and Recent Incidents
  - Major Threat Vectors from LLM
  - Key Risks in the SDLC
  - Legal Concerns
  - LLM Concerns and Software Supply Chain Impact
  - Increased Supply Chain Risks
  - Remediative Controls
XII. IoT & Embedded System Security
92. Secure Code for Embedded Systems
- Jason Sinchak
  - Coding
    - Injection
    - Memory Corruption
  - Third-Party Code
93. Platform Security for Embedded Systems
- Jason Sinchak
  - Maintaining Data Security
  - Secure Firmware Updates
  - Attack Surface Reduction
  - Secure Communications
94. Application Identity for Embedded Systems
- Jason Sinchak
95. Top Five Hacking Methods for IoT Devices
- Manasés Jesús
  - The Trojan Horse
  - The Man-in-the-Middle
  - The Zero-Day Exploit
  - The Brute Force Attack
  - The Denial-of-Service (DoS) Attack
96. Securing IoT Applications
- Manasés Jesús
97. Application Security in CyberPhysical Systems
- Yaniv Vardi
About the Editors
- Reet Kaur
- Yabing Wang
Contributors
- Adam Shostack
- Aldo Salas
- Alexander James Wold
- Allen West
- Alyssa Columbus
- Andres Andreu
- Andrew King
- Angelica Lo Duca
- Anuj Parekh
- Aruneesh Salhotra
- Ayman Elsawah
- Brook S.E. Schoenfield
- Caroline Wong
- Cassie Crossley
- Chadi Saliby
- Charan Akiri
- Chenxi Wang
- Chloé Messdaghi
- Christian Ghigliotty
- Daniel Ting
- Darryle Merlette
- David Lindner
- David Stokes
- Diogo Miyake
- Erkang Zheng
- Fayyaz Rajpari
- Han Lievens
- Heather Hinton
- Helen Umberger
- Hussain Syed
- Idan Plotnik
- Izar Tarandach
- Jacqueline Pitter
- Jason Sinchak
- Josh Brown
- Jyothi Charyulu
- Karen Walsh
- Larry W. Cashdollar
- Laura Bell Main
- Lauren Maffeo
- Laxmidhar V. Gaopande
- Louisa Wang
- Luis Arzu
- Lütfü Mert Ceylan
- Manasés Jesús
- Manuel Walder
- Maria Nichole Schwenger
- Mark S. Merkow
- Matthew Coles
- Michael Bray
- Michael Freeman
- Michael Xin
- Nathaniel Shere
- Neatsun Ziv
- Nielet Dmello
- Niels Tanis
- Periklis Gkolias
- Pragat Patel
- Raj Badhwar
- Rakesh Kulkarni
- Sandeep Kumar Singh
- Sausan Yazji
- Sean Poris
- Shawn Evans
- Sounil Yu
- Tanya Janca
- Travis Felder
- Tyler Young
- Vinay Venkatesh
- Viraj Gandhi
- Yaniv Vardi
- Yashvier Kosaraju
- Yasir Ali