Buch, Englisch, 380 Seiten, Format (B × H): 155 mm x 235 mm
Guiding Principles for Surviving a Cyber Attack
Buch, Englisch, 380 Seiten, Format (B × H): 155 mm x 235 mm
ISBN: 978-1-4842-3666-6
Verlag: APress
Use the best practices taught in this book to defend your application against future attack patterns. You also will learn about other equally critical means of securing your application, including validation logic, threat modeling, authentication, authorization, and much more.
This book covers the role that.NET developers play when it comes to security. You will learn about cryptography, but that is not the only tool at your disposal. After reading this book you will come away feeling empowered and confident when it comes to taking charge of the application security issues that are in your control.
What You'll Learn - Understand the key concepts of software-based security in the context of application development
- See how to structure a distributed application inside and outside of the firewall
- Explore and recognize common attack vectors
- Gain a thorough understanding of validations
- Work through various examples of software security with a sense of humor
- Embrace the power you have as a developer
- Know the risks in order to ensure that development efforts work to mitigate the risks
Who This Book Is For
.NET developers, especially those who are developing applications that are visible on the Internet
Autoren/Hrsg.
Fachgebiete
Weitere Infos & Material
Chapter 1, Secure Computing in an Insecure World
This chapter will introduce the concept of software based security and fit it in the context of the application developers
Survey of Various Dangers
Understanding the Risks
No Such Thing as “Secure” Our Goal is Defensible
Security is Everyone’s Concern, Especially the Developer
Chapter 2: Overview of Common Attack Vectors
In this chapter we will discuss some of the top attack patterns that frequently plague web application
Parameter Manipulation
Various Injections
Sensitive Data Exposure
(Other vectors)
Chapter 3: Security Principles
In this chapter we will give an overview of various guiding principles for secure programming. This chapter will include references to other chapters where these concepts are discussed in greater depth of real world examples are showcased
Fail Securely
Positive Security Model (White list)
Negative Security Model (Black list)
Minimize Attack Surface
Separation of Duties
Avoid Security Through Obscurity
Keep Security Simple
Don’t Trust Services
Defense in Depth
Least Privilege
Establish Secure Defaults
Chapter 4: Validations in Practice
Blessed are the Paranoid for they Validate
In this chapter we will explore all things validation
Don’t Trust Users
Don’t Trust Input Parameters from unknown sources
Don’t Trust Input Files you didn’t write
Don’t trust data even from your own database
Overview of the Standard Validators
Validators are SQL Firewall Rules
Chapter 5: Application Topography for Security
Blessed are the Lonely for they Separate
In this chapter we discuss how to structure a distributed application paying attention to what goes inside and outside of the firewall
Distributed Application creates a Larger Attack Surface
Separate the Database from the Application Server
Properly Handling Connection Strings
What should stay outside the firewall
What should stay inside the firewall
How do servers communicate
Chapter 6: Mitigating Risk by Minimizing Privilege
Blessed are the Cautious for they Follow the Principle of Least Privilege
In this chapter we will introduce and explore the Principle of Least Privilege. We will see how this applies to the database specifically as well as to network resources in general.
The Database has all the Keys to the Kingdom
Separate Key Sensitive Data to a Separate Database
Isolate Key Sensitive in the Same Database with Separate Logins
Separate Transaction Data from Reporting Data
Understanding Access Control Lists
Chapter 7: Cryptography in Practice
Blessed are the Cryptic for Even Stolen Data is Secure
In this chapter we will discuss cryptography from an application perspective. We will review the common algorithms used, how they are executed, and we will discuss some best practices for using cryptography.
Cryptography can be a Self-Imposed Denial of Service if used wrong
Symmetric Cryptography
Asymmetric Cryptography
Digital Signatures
Hashing
Chapter 8: Authentication and Authorization
In this chapter we will discuss all things related to Authentication and Authorization. This may be split into 2 chapters not sure yet.
Password complexity policies
Password resets
2 Factor Authentication
Idle Timeouts
Logging Out
Authorization Matrix
Access Control Lists
Protected Resources
Static Resources
Reauthorization
JWT (JSON Web Tokens)
Chapter 9: Securing Web Services
In this chapter we will discuss web services, the roles they play in modern web applications and how to properly secure them.
Chapter 10 Threat Modeling
In this chapter we will step through the Microsoft Threat Modeling Process. We will discuss the importance of modeling, review the individual steps, and discuss ways to incorporate this into your development lifecycle
Identify Security Objectives
Survey the Application
Decompose the Application
Identify Threats
STRIDE
DREAD
Chapter 11 Best Practices
This will be a wrap up chapter that will reiterate all the best practices identified though out the book. Best practices will be grouped by chapter giving the reader a quick link back to where the best practice was introduced so they can quickly get more context.
