Enhanced descriptions from Syndetics:

Learn application security from the very start, with this comprehensive and approachable guide!

Alice and Bob Learn Application Security is an accessible and thorough resource for anyone seeking to incorporate, from the beginning of the System Development Life Cycle, best security practices in software development. This book covers all the basic subjects such as threat modeling and security testing, but also dives deep into more complex and advanced topics for securing modern software systems and architectures. Throughout, the book offers analogies, stories of the characters Alice and Bob, real-life examples, technical explanations and diagrams to ensure maximum clarity of the many abstract and complicated subjects.

Topics include:

Alice and Bob Learn Application Security is perfect for aspiring application security engineers and practicing software developers, as well as software project managers, penetration testers, and chief information security officers who seek to build or improve their application security programs.

Alice and Bob Learn Application Security illustrates all the included concepts with easy-to-understand examples and concrete practical applications, furthering the reader's ability to grasp and retain the foundational and advanced topics contained within.

Table of contents provided by Syndetics

• Introduction (p. xxi)
• Part 1 What You Must Know to Write Code Safe Enough to Put on the internet (p. 1)
• Chapter 1 Security Fundamentals (p. 3)
• The Security Mandate: CIA (p. 3)
• Confidentiality (p. 4)
• Integrity (p. 5)
• Availability (p. 5)
• Assume Breach (p. 7)
• Insider Threats (p. 8)
• Defense in Depth (p. 9)
• Least Privilege (p. 11)
• Supply Chain Security (p. 11)
• Security by Obscurity (p. 13)
• Attack Surface Reduction (p. 14)
• Hard Coding (p. 15)
• Never Trust, Always Verify (p. 15)
• Usable Security (p. 17)
• Factors of Authentication (p. 18)
• Exercises (p. 20)
• Chapter 2 Security Requirements (p. 21)
• Requirements (p. 22)
• Encryption (p. 23)
• Never Trust System Input (p. 24)
• Encoding and Escaping (p. 28)
• Third-Party Components (p. 29)
• Security Headers: Seatbelts for Web Apps (p. 31)
• Security Headers in Action (p. 32)
• X-XSS-Protection (p. 32)
• Content-Security-Policy (CSP) (p. 32)
• X-Frame-Options (p. 35)
• X-Content-Type-Options (p. 36)
• Referrer-Policy (p. 36)
• Strict-Transport-Security (HSTS) (p. 37)
• Feature-Policy (p. 38)
• X-Permitted-Cross-Domain-Policies (p. 39)
• Expect-CT (p. 39)
• Public Key Pinning Extension for HTTP (HPKP) (p. 41)
• Securing Your Cookies (p. 42)
• The Secure Flag (p. 42)
• The HttpOnly Flag (p. 42)
• Persistence (p. 43)
• Domain (p. 43)
• Path (p. 44)
• Same-Site (p. 44)
• Cookie Prefixes (p. 45)
• Data Privacy (p. 45)
• Data Classification Passwords, Storage, and Other Important Decisions (p. 46)
• HTTPS Everywhere (p. 52)
• TLS Settings (p. 53)
• Comments (p. 54)
• Backup and Rollback (p. 54)
• Framework Security Features (p. 54)
• Technical Debt = Security Debt (p. 55)
• File Uploads (p. 56)
• Errors and Logging (p. 57)
• Input Validation and Sanitization (p. 58)
• Authorization and Authentication (p. 59)
• Parameterized Queries (p. 59)
• URL Parameters (p. 60)
• Least Privilege (p. 60)
• Requirements Checklist (p. 61)
• Exercises (p. 63)
• Chapter 3 Secure Design (p. 65)
• Design Flaw vs. Security Bug (p. 66)
• Discovering a Flaw Late (p. 67)
• Pushing Left (p. 68)
• Secure Design Concepts (p. 68)
• Protecting Sensitive Data (p. 68)
• Never Trust, Always Verify/Zero Trust/Assume Breach (p. 70)
• Backup and Rollback (p. 71)
• Server-Side Security Validation (p. 73)
• Framework Security Features (p. 74)
• Security Function Isolation (p. 74)
• Application Partitioning (p. 75)
• Secret Management (p. 76)
• Re-authentication for Transactions (Avoiding CSRF) (p. 76)
• Segregation of Production Data (p. 77)
• Protection of Source Code (p. 77)
• Threat Modeling (p. 78)
• Exercises (p. 82)
• Chapter 4 Secure Code (p. 83)
• Selecting Your Framework and Programming Language (p. 83)
• Example #1 (p. 85)
• Example #2 (p. 85)
• Example #3 (p. 86)
• Programming Languages and Frameworks: The Rule (p. 87)
• Untrusted Data (p. 87)
• HTTP Verbs (p. 89)
• Identity (p. 90)
• Session Management (p. 91)
• Bounds Checking (p. 93)
• Authentication (AuthN) (p. 94)
• Authorization (AuthZ) (p. 96)
• Error Handling, Logging, and Monitoring (p. 99)
• Rules for Errors (p. 100)
• Logging (p. 100)
• Monitoring (p. 101)
• Exercises (p. 103)
• Chapter 5 Common Pitfalls (p. 105)
• OWASP (p. 105)
• Defenses and Vulnerabilities Not Previously Covered (p. 109)
• Cross-Site Request Forgery (p. 110)
• Server-Side Request Forgery (p. 112)
• Deserialization (p. 114)
• Race Conditions (p. 115)
• Closing Comments (p. 117)
• Exercises (p. 117)
• Part II What You Should Do to Create Very Good Code (p. 119)
• Chapter 6 Testing and Deployment (p. 121)
• Testing Your Code (p. 121)
• Code Review (p. 122)
• Static Application Security Testing (SAST) (p. 123)
• Software Composition Analysis (SCA) (p. 125)
• Unit Tests (p. 126)
• Infrastructure as Code (IaC) and Security as Code (SaC) (p. 128)
• Testing Your Application (p. 129)
• Manual Testing (p. 130)
• Browsers (p. 131)
• Developer Tools (p. 131)
• Web Proxies (p. 132)
• Fuzzing (p. 133)
• Dynamic Application Security Testing (DAST) (p. 133)
• VA/Security Assessment/PenTest (p. 135)
• Testing Your Infrastructure (p. 141)
• Testing Your Database (p. 141)
• Testing Your APIs and Web Services (p. 142)
• Testing Your Integrations (p. 143)
• Testing Your Network (p. 144)
• Deployment (p. 145)
• Editing Code Live on a Server (p. 146)
• Publishing from an IDE (p. 146"Homemade)
• Run Books (p. 148)
• Contiguous Integration/Continuous Delivery/
• Continuous Deployment (p. 148)
• Exercises (p. 149)
• Chapter 7 An AppSec Program (p. 151)
• Application Security Program Goals (p. 152)
• Creating and Maintaining an Application Inventory (p. 153)
• Capability to Find Vulnerabilities in Written, Running, and Third-Party Code (p. 153)
• Knowledge and Resources to Fix the Vulnerabilities (p. 154)
• Education and Reference Materials (p. 155)
• Providing Developers with Security Tools (p. 155)
• Having One or More Security Activities During Each Phase of Your SDLC (p. 156)
• Implementing Useful and Effective Tooling (p. 157)
• An Incident Response Team That Knows When to Call You (p. 157)
• Continuously Improve Your Program Based on Metrics, Experimentation, and Feedback (p. 159)
• Metrics (p. 159)
• Experimentation (p. 161)
• Feedback from Any and All Stakeholders (p. 161)
• A Special Note on DevOps and Agile (p. 162)
• Application Security Activities (p. 162)
• Application Security Tools (p. 164)
• Your Application Security Program (p. 165)
• Exercises (p. 166)
• Chapter 8 Securing Modern Applications and Systems (p. 167)
• APIs and Microservices (p. 168)
• Online Storage (p. 171)
• Containers and Orchestration (p. 172)
• Serverless (p. 174)
• Infrastructure as Code (IaC) (p. 175)
• Security as Code (SaC) (p. 177)
• Platform as a Service (PaaS) (p. 178)
• Infrastructure as a Service (IaaS) (p. 179)
• Continuous Integration/Delivery/Deployment (p. 180)
• Dev(Sec)Ops (p. 180)
• DevSecOps (p. 182)
• The Cloud (p. 183)
• Cloud Computing (p. 183)
• Cloud Native (p. 184)
• Cloud Native Security (p. 185)
• Cloud Workflows (p. 185)
• Modern Tooling (p. 186)
• IAST Interactive Application Security Testing (p. 186)
• Runtime Application Security Protection (p. 187)
• File Integrity Monitoring (p. 187)
• Application Control Tools (Approved Software Lists) (p. 187)
• Security Tools Created for DevOps Pipelines (p. 188)
• Application Inventory Tools (p. 188)
• Least Privilege and Other Policy Automation (p. 189)
• Modern Tactics (p. 189)
• Summary (p. 191)
• Exercises (p. 191)
• Part III Helpful Information on How to Continue to Create Very Good Code (p. 193)
• Chapter 9 Good Habits (p. 195)
• Password Management (p. 196)
• Remove Password Complexity Rules (p. 196)
• Use a Password Manager (p. 197)
• Passphrases (p. 198)
• Don't Reuse Passwords (p. 198)
• Do Not Implement Password Rotation (p. 199)
• Multi-Factor Authentication (p. 199)
• Incident Response (p. 200)
• Fire Drills (p. 201)
• Continuous Scanning (p. 202)
• Technical Debt (p. 202)
• Inventory (p. 203)
• Other Good Habits (p. 204)
• Policies (p. 204)
• Downloads and Devices (p. 204)
• Lock Your Machine (p. 204)
• Privacy (p. 205)
• Summary (p. 206)
• Exercises (p. 206)
• Chapter 10 Continuous Learning (p. 207)
• What to Learn (p. 208)
• Offensive = Defensive (p. 208)
• Don't Forget Soft Skills (p. 208)
• Leadership != Management (p. 209)
• Learning Options (p. 209)
• Accountability (p. 212)
• Create Your Plan (p. 213)
• Take Action (p. 214)
• Exercises (p. 214)
• Learning Plan (p. 216)
• Chapter 11 Closing Thoughts (p. 217)
• Lingering Questions (p. 218)
• When Have You Done Enough? (p. 218)
• How Do You Get Management on Board? (p. 220)
• How Do You Get Developers on Board? (p. 221)
• Where Do You Start? (p. 222)
• Where Do You Get Help? (p. 223)
• Conclusion (p. 223)
• Appendix A Resources (p. 225)
• Introduction (p. 225)
• Chapter 1 Security Fundamentals (p. 225)
• Chapter 2 Security Requirements (p. 226)
• Chapter 3 Secure Design (p. 227)
• Chapter 4 Secure Code (p. 228)
• Chapter 5 Common Pitfalls (p. 228)
• Chapter 6 Testing and Deployment (p. 229)
• Chapter 7 An AppSec Program (p. 229)
• Chapter 8 Securing Modern Applications and Systems (p. 230)
• Chapter 9 Good Habits (p. 231)
• Chapter 10 Continuous Learning (p. 231)
• Appendix B Answer Key (p. 233)
• Chapter 1 Security Fundamentals (p. 233)
• Chapter 2 Security Requirements (p. 235)
• Chapter 3 Secure Design (p. 236)
• Chapter 4 Secure Code (p. 238)
• Chapter 5 Common Pitfalls (p. 241)
• Chapter 6 Testing and Deployment (p. 242)
• Chapter 7 An AppSec Program (p. 244)
• Chapter 8 Securing Modem Applications and Systems (p. 245)
• Chapter 9 Good Habits (p. 247)
• Chapter 10 Continuous Learning (p. 248)
• Index (p. 249)

Author notes provided by Syndetics