"Tanya knows her stuff. She has a huge depth of experience and expertise in application security, DevSecOps, and cloud security. We can all learn a ton of stuff from Tanya, so you should read her book!" -Dafydd Stuttard, best-selling co-author of The Web Application Hacker's Handbook, creator of Burp Suite "I learned so much from this book! Information security is truly everyone's job -- this book is a fantastic overview of the vast knowledge needed by everyone, from developer, infrastructure, security professionals, and so much more. Kudos to Ms. Janca for writing such an educational and practical primer. I loved the realistic stories that frame real-world problems, spanning everything from design, migrating applications from problematic frameworks, mitigating admin risks, and things that every modern developer needs to know." -Gene Kim, bestselling author of The Unicorn Project, co-author of The Phoenix Project, DevOps Handbook, Accelerate "Practical guidance for the modern era; Tanya does a great job of communicating current day thinking around AppSec in terms we can all relate to." -Troy Hunt, creator of "Have I Been Pwned"

Foreword xxi Introduction xxiii Part I What You Must Know to Write Code Safe Enough to Put on the Internet 1 Chapter 1 Security Fundamentals 3 The Security Mandate: CIA 3 Confidentiality 4 Integrity 5 Availability 5 Assume Breach 7 Insider Threats 8 Defense in Depth 9 Least Privilege 11 Supply Chain Security 11 Security by Obscurity 13 Attack Surface Reduction 14 Hard Coding 15 Never Trust, Always Verify 15 Usable Security 17 Factors of Authentication 18 Exercises 20 Chapter 2 Security Requirements 21 Requirements 22 Encryption 23 Never Trust System Input 24 Encoding and Escaping 28 Third-Party Components 29 Security Headers: Seatbelts for Web Apps 31 Security Headers in Action 32 X-XSS-Protection 32 Content-Security-Policy (CSP) 32 X-Frame-Options 35 X-Content-Type-Options 36 Referrer-Policy 36 Strict-Transport-Security (HSTS) 37 Feature-Policy 38 X-Permitted-Cross-Domain-Policies 39 Expect-CT 39 Public Key Pinning Extension for HTTP (HPKP) 41 Securing Your Cookies 42 The Secure Flag 42 The HttpOnly Flag 42 Persistence 43 Domain 43 Path 44 Same-Site 44 Cookie Prefixes 45 Data Privacy 45 Data Classification 45 Passwords, Storage, and Other Important Decisions 46 HTTPS Everywhere 52 TLS Settings 53 Comments 54 Backup and Rollback 54 Framework Security Features 54 Technical Debt = Security Debt 55 File Uploads 56 Errors and Logging 57 Input Validation and Sanitization 58 Authorization and Authentication 59 Parameterized Queries 59 URL Parameters 60 Least Privilege 60 Requirements Checklist 61 Exercises 63 Chapter 3 Secure Design 65 Design Flaw vs. Security Bug 66 Discovering a Flaw Late 67 Pushing Left 68 Secure Design Concepts 68 Protecting Sensitive Data 68 Never Trust, Always Verify/Zero Trust/Assume Breach 70 Backup and Rollback 71 Server-Side Security Validation 73 Framework Security Features 74 Security Function Isolation 74 Application Partitioning 75 Secret Management 76 Re-authentication for Transactions (Avoiding CSRF) 76 Segregation of Production Data 77 Protection of Source Code 77 Threat Modeling 78 Exercises 82 Chapter 4 Secure Code 83 Selecting Your Framework and Programming Language 83 Example #1 85 Example #2 85 Example #3 86 Programming Languages and Frameworks: The Rule 87 Untrusted Data 87 HTTP Verbs 89 Identity 90 Session Management 91 Bounds Checking 93 Authentication (AuthN) 94 Authorization (AuthZ) 96 Error Handling, Logging, and Monitoring 99 Rules for Errors 100 Logging 100 Monitoring 101 Exercises 103 Chapter 5 Common Pitfalls 105 OWASP 105 Defenses and Vulnerabilities Not Previously Covered 109 Cross-Site Request Forgery 110 Server-Side Request Forgery 112 Deserialization 114 Race Conditions 115 Closing Comments 117 Exercises 117 Part II What You Should Do to Create Very Good Code 119 Chapter 6 Testing and Deployment 121 Testing Your Code 121 Code Review 122 Static Application Security Testing (SAST) 123 Software Composition Analysis (SCA) 125 Unit Tests 126 Infrastructure as Code (IaC) and Security as Code (SaC) 128 Testing Your Application 129 Manual Testing 130 Browsers 131 Developer Tools 131 Web Proxies 132 Fuzzing 133 Dynamic Application Security Testing (DAST) 133 VA/Security Assessment/PenTest 135 Testing Your Infrastructure 141 Testing Your Database 141 Testing Your APIs and Web Services 142 Testing Your Integrations 143 Testing Your Network 144 Deployment 145 Editing Code Live on a Server 146 Publishing from an IDE 146 "Homemade" Deployment Systems 147 Run Books 148 Contiguous Integration/Continuous Delivery/Continuous Deployment 148 Exercises 149 Chapter 7 An AppSec Program 151 Application Security Program Goals 152 Creating and Maintaining an Application Inventory 153 Capability to Find Vulnerabilities in Written, Running, and Third-Party Code 153 Knowledge and Resources to Fix the Vulnerabilities 154 Education and Reference Materials 155 Providing Developers with Security Tools 155 Having One or More Security Activities During Each Phase of Your SDLC 156 Implementing Useful and Effective Tooling 157 An Incident Response Team That Knows When to Call You 157 Continuously Improve Your Program Based on Metrics, Experimentation, and Feedback 159 Metrics 159 Experimentation 161 Feedback from Any and All Stakeholders 161 A Special Note on DevOps and Agile 162 Application Security Activities 162 Application Security Tools 164 Your Application Security Program 165 Exercises 166 Chapter 8 Securing Modern Applications and Systems 167 APIs and Microservices 168 Online Storage 171 Containers and Orchestration 172 Serverless 174 Infrastructure as Code (IaC) 175 Security as Code (SaC) 177 Platform as a Service (PaaS) 178 Infrastructure as a Service (IaaS) 179 Continuous Integration/Delivery/Deployment 180 Dev(Sec)Ops 180 DevSecOps 182 The Cloud 183 Cloud Computing 183 Cloud Native 184 Cloud Native Security 185 Cloud Workflows 185 Modern Tooling 186 IAST Interactive Application Security Testing 186 Runtime Application Security Protection 187 File Integrity Monitoring 187 Application Control Tools (Approved Software Lists) 187 Security Tools Created for DevOps Pipelines 188 Application Inventory Tools 188 Least Privilege and Other Policy Automation 189 Modern Tactics 189 Summary 191 Exercises 191 Part III Helpful Information on How to Continue to Create Very Good Code 193 Chapter 9 Good Habits 195 Password Management 196 Remove Password Complexity Rules 196 Use a Password Manager 197 Passphrases 198 Don't Reuse Passwords 198 Do Not Implement Password Rotation 199 Multi-Factor Authentication 199 Incident Response 200 Fire Drills 201 Continuous Scanning 202 Technical Debt 202 Inventory 203 Other Good Habits 204 Policies 204 Downloads and Devices 204 Lock Your Machine 204 Privacy 205 Summary 206 Exercises 206 Chapter 10 Continuous Learning 207 What to Learn 208 Offensive = Defensive 208 Don't Forget Soft Skills 208 Leadership != Management 209 Learning Options 209 Accountability 212 Create Your Plan 213 Take Action 214 Exercises 214 Learning Plan 216 Chapter 11 Closing Thoughts 217 Lingering Questions 218 When Have You Done Enough? 218 How Do You Get Management on Board? 220 How Do You Get Developers on Board? 221 Where Do You Start? 222 Where Do You Get Help? 223 Conclusion 223 Appendix A Resources 225 Introduction 225 Chapter 1: Security Fundamentals 225 Chapter 2: Security Requirements 226 Chapter 3: Secure Design 227 Chapter 4: Secure Code 228 Chapter 5: Common Pitfalls 228 Chapter 6: Testing and Deployment 229 Chapter 7: An AppSec Program 229 Chapter 8: Securing Modern Applications and Systems 230 Chapter 9: Good Habits 231 Chapter 10: Continuous Learning 231 Appendix B Answer Key 233 Chapter 1: Security Fundamentals 233 Chapter 2: Security Requirements 235 Chapter 3: Secure Design 236 Chapter 4: Secure Code 238 Chapter 5: Common Pitfalls 241 Chapter 6: Testing and Deployment 242 Chapter 7: An AppSec Program 244 Chapter 8: Securing Modern Applications and Systems 245 Chapter 9: Good Habits 247 Chapter 10: Continuous Learning 248 Index 249

Tanya Janca, also known as SheHacksPurple, is the founder of We Hack Purple, an online learning academy dedicated to teaching everyone how to create secure software. With over twenty years of IT and coding experience, she has won numerous awards and worked as a developer, pentester, and AppSec Engineer. She was named Hacker of the Year by the Cybersecurity Woman of the Year 2019 Awards and is the Founder of WoSEC International, #CyberMentoringMonday, and OWASP DevSlop.