Web Application Security, A Beginner's Guide
1st Edition
Published on 3. November 2011
309 pages
978-0-07-177612-7 (ISBN)
Description
Security Smarts for the Self-Guided IT Professional “Get to know the hackers—or plan on getting hacked. Sullivan and Liu have created a savvy, essentials-based approach to web app security packed with immediately applicable tools for any information security practitioner sharpening his or her tools or just starting out.” —Ryan McGeehan, Security Manager, Facebook, Inc. Secure web applications from today's most devious hackers. Web Application Security: A Beginner's Guide helps you stock your security toolkit, prevent common hacks, and defend quickly against malicious attacks. This practical resource includes chapters on authentication, authorization, and session management, along with browser, database, and file security--all supported by true stories from industry. You'll also get best practices for vulnerability detection and secure development, as well as a chapter that covers essential security fundamentals. This book's templates, checklists, and examples are designed to help you get started right away. Web Application Security: A Beginner's Guide features: Lingo--Common security terms defined so that you're in the know on the job IMHO--Frank and relevant opinions based on the authors' years of industry experience Budget Note--Tips for getting security technologies and processes into your organization's budget In Actual Practice--Exceptions to the rules of security explained in real-world contexts Your Plan--Customizable checklists you can use on the job now Into Action--Tips on how, why, and when to apply new skills and techniques at work
More details
Other editions
Additional editions
Bryan Sullivan | Vincent Liu
Web Application Security, A Beginner's Guide
Book
01/2012
Osborne/McGraw-Hill
€47.20
Article not available at the moment
Content
- Cover Page
- Web Application Security
- Copyright Page
- Dedication
- Contents at a Glance
- Contents
- Acknowledgments
- Introduction
- Part I Primer
- 1 Welcome to the Wide World of Web Application Security
- Misplaced Priorities and the Need for a New Focus
- Network Security versus Application Security: The Parable of the Wizard and the Magic Fruit Trees
- Real-World Parallels
- Thinking like a Defender
- The OWASP Top Ten List
- #1. Injection
- #2. Cross-Site Scripting (XSS)
- #3. Broken Authentication and Session Management
- #4. Insecure Direct Object References
- #5. Cross-Site Request Forgery
- #6. Security Misconfiguration
- #7. Insecure Cryptographic Storage
- #8. Failure to Restrict URL Access
- #9. Insufficient Transport Layer Protection
- #10. Unvalidated Redirects and Forwards
- Wrapping Up the OWASP Top Ten
- Secure Features, Not Just Security Features
- Final Thoughts
- 2 Security Fundamentals
- Input Validation
- Blacklist Validation
- Whitelist Validation
- More Validation Practices
- The Defense-in-Depth Approach
- Attack Surface Reduction
- Attack Surface Reduction Rules of Thumb
- Classifying and Prioritizing Threats
- STRIDE
- IIMF
- CIA
- Common Weakness Enumeration (CWE)
- DREAD
- Common Vulnerability Scoring System (CVSS)
- Part II Web Application Security Principles
- 3 Authentication
- Access Control Overview
- Authentication Fundamentals
- Proving Your Identity
- Two-Factor and Three-Factor Authentication
- Web Application Authentication
- Password-Based Authentication Systems
- Built-In HTTP Authentication
- Single Sign-On Authentication
- Custom Authentication Systems
- Validating Credentials
- Securing Password-Based Authentication
- Attacks Against Passwords
- The Importance of Password Complexity
- Password Best Practices
- Secure Authentication Best Practices
- When and Where to Perform Authentication
- Securing Web Authentication Mechanisms
- 4 Authorization
- Access Control Continued
- Authorization
- Session Management
- Authorization Fundamentals
- Authorization Goals
- Detailed Authorization Check Process
- Types of Permissions
- Authorization Layers
- Controls by Layer
- Custom Authorization Mechanisms
- Client-Side Attack
- TOCTTOU Exploit
- Web Authorization Best Practices
- Attacks Against Authorization
- Session Management Fundamentals
- What's a Session?
- How to Manage Session State?
- Why Do We Need Session Management?
- Attacks Against Sessions
- SSL and HTTPS
- Jetty: Session Predictability in the Real World
- Attacks Against Session State
- Securing Web Application Session Management
- Session Management Best Practices
- 5 Browser Security Principles: The Same-Origin Policy
- Defining the Same-Origin Policy
- An Important Distinction: Client-Side vs. Server-Side
- A World Without the Same-Origin Policy
- Exceptions to the Same-Origin Policy
- HTML &script& Element
- JSON and JSONP
- iframes and JavaScript document.domain
- Adobe Flash Player Cross-Domain Policy File
- Microsoft Silverlight
- XMLHttpRequest (Ajax) and Cross-Origin Resource Sharing
- XDomainRequest
- Final Thoughts on the Same-Origin Policy
- 6 Browser Security Principles: Cross-Site Scripting and Cross-Site Request Forgery
- Cross-Site Scripting
- Cross-Site Scripting Explained
- Reflected XSS
- POST-Based Reflected XSS
- Stored XSS
- Local XSS
- Another Variation: HTML Injection
- XSS Defense: Encoding Output
- XSS Defense: Sanitizing Input
- XSS Defense: Using a Reduced Markup Language
- XSS Defense-in-Depth: HttpOnly
- XSS Defense-in-Depth: Content Security Policy (CSP)
- Final Thoughts on Cross-Site Scripting
- Cross-Site Request Forgery
- Cross-Site Request Forgery Explained
- HTTP GET and the Concept of Safe Methods
- Ineffective CSRF Defense: Relying on POST
- Ineffective CSRF Defense: Checking the Referer Header
- Ineffective CSRF Defense: URL Rewriting
- Better CSRF Defense: Shared Secrets
- Better CSRF Defense: Double-Submitted Cookies
- Prevent XSS
- Reauthentication
- What Being "Logged In" Means
- Final Thoughts on Cross-Site Request Forgery
- 7 Database Security Principles
- Structured Query Language (SQL) Injection
- SQL Injection Effects and Confidentiality-Integrity-Availability
- The Dangers of Detailed Errors
- Blind SQL Injection: No Errors Required
- Solving the Problem: Validating Input
- Regular Expressions
- Solving the Problem: Escaping Input
- Setting Database Permissions
- Single Account Security
- Separate Accounts for Separate Roles
- Stored Procedure Security
- The Stored-Procedures-Only Approach: Reducing Permissions Even Further
- SQL Injection in Stored Procedures
- Insecure Direct Object References
- No Technical Knowledge Required
- Insecure Direct Object References and Confidentiality-Integrity-Availability
- Solving the Problem: Pre- or Post-Request Authorization Checks
- Final Thoughts on Insecure Direct Object References
- 8 File Security Principles
- Keeping Your Source Code Secret
- Static Content and Dynamic Content
- Revealing Source Code
- Interpreted versus Compiled Code
- Backup File Leaks
- Include-File Leaks
- Keep Secrets Out of Static Files
- Exposing Sensitive Functionality
- Security Through Obscurity
- Forceful Browsing
- Forceful Browsing and Insecure Direct Object References
- Directory Enumeration
- Redirect Workflow Manipulation
- Directory Traversal
- etc/passwd
- More Directory Traversal Vulnerabilities
- Canonicalization
- Part III Secure Development and Deployment
- 9 Secure Development Methodologies
- Baking Security In
- The Earlier, the Better
- The Penetrate-and-Patch Approach
- The Holistic Approach to Application Security
- Training
- Threat Modeling
- Secure Coding Libraries
- Code Review
- Security Testing
- Security Incident Response Planning
- Industry Standard Secure Development Methodologies and Maturity Models
- The Microsoft Security Development Lifecycle (SDL)
- OWASP Comprehensive Lightweight Application Security Process (CLASP)
- The Software Assurance Maturity Model (SAMM)
- The Building Security In Maturity Model (BSIMM)
- Conclusions on Secure Development Methodologies and Maturity Models
- Epilogue The Wizard, the Giant, and the Magic Fruit Trees: A Happy Ending
- Index
