Table of Contents
1 Cover
2 Introduction Pushing Left About This Book Out-of-Scope Topics The Answer Key
3 Part I: What You Must Know to Write Code Safe Enough to Put on the Internet CHAPTER 1: Security Fundamentals The Security Mandate: CIA Assume Breach Insider Threats Defense in Depth Least Privilege Supply Chain Security Security by Obscurity Attack Surface Reduction Hard Coding Never Trust, Always Verify Usable Security Factors of Authentication Exercises CHAPTER 2: Security Requirements Requirements Requirements Checklist Exercises CHAPTER 3: Secure Design Design Flaw vs. Security Bug Secure Design Concepts Segregation of Production Data Threat Modeling Exercises CHAPTER 4: Secure Code Selecting Your Framework and Programming Language Untrusted Data HTTP Verbs Identity Session Management Bounds Checking Authentication (AuthN) Authorization (AuthZ) Error Handling, Logging, and Monitoring Exercises CHAPTER 5: Common Pitfalls OWASP Defenses and Vulnerabilities Not Previously Covered Race Conditions Closing Comments Exercises
4 Part II: What You Should Do to Create Very Good Code CHAPTER 6: Testing and Deployment Testing Your Code Testing Your Application Testing Your Infrastructure Testing Your Database Testing Your APIs and Web Services Testing Your Integrations Testing Your Network Deployment Exercises CHAPTER 7: An AppSec Program Application Security Program Goals Application Security Activities Application Security Tools CHAPTER 8: Securing Modern Applications and Systems APIs and Microservices Online Storage Containers and Orchestration Serverless Infrastructure as Code (IaC) Security as Code (SaC) Platform as a Service (PaaS) Infrastructure as a Service (IaaS) Continuous Integration/Delivery/Deployment Dev(Sec)Ops The Cloud Cloud Workflows Modern Tooling Modern Tactics Summary
