book

97 Things Every Application Security Professional Should Know

by Reet Kaur, Yabing Wang

June 2024

Intermediate to advanced

310 pages

8h 59m

English

O'Reilly Media, Inc.

Read now

Unlock full access

Preface
O’Reilly Online LearningHow to Contact UsAcknowledgments
I. Program & Practice
1. Secure Code for Tomorrow’s Technology
Alyssa Columbus
2. Pragmatic Advice for Building an Application Security Program
Andres Andreu
3. AppSec Must Lead
Brook S.E. Schoenfield
4. Solving Problems for Application Security
Caroline Wong
5. Securing Your Enterprise Applications
Chadi Saliby
6. Developers as Partners in Application Security Strategy
Christian Ghigliotty
7. Be an Awesome Sidekick
Daniel TingIt’s About Them, Not You.Balanced Priorities (and Constraints)Easier Is Easier
8. Understanding the True Boundaries of Modern Applications
Erkang ZhengComponentsInfrastructureOwnershipThe Foundation of Modern Cybersecurity

9. Common Best Practices in Application Security
Laxmidhar V. GaopandeCode Scanning and ReviewsLeverage AI for Better Detection and AutomationBuild a Bug Bounty Program
10. AppSec Is a People Problem—Not a Technical One
Mark S. Merkow
11. Empowering Application Security Professionals Through Cybersecurity Education
Michael Bray
12. Why You Need a Practical Security Champions Program
Michael Xin and Sandeep Kumar Singh
13. The Human Firewall: Combat Enemies by Improving Your Security-Oriented Culture
Periklis GkoliasRecognizing External ThreatsRecognizing Insider ThreatsEmpowering Employees Through EducationPromoting Open CommunicationEngaging LeadershipConducting Regular Security DrillsRewarding and Recognizing Secure Behavior
14. Shifting Everywhere in Application Security
Sounil YuThe Changing Landscape of Application SecurityThe Traditional Shift Left ParadigmThe Role of Infrastructure and AutomationRe-envisioning Application Security
15. Beyond Barriers: Navigating the Path to a Successful AppSec Program
Yabing WangWhat Are the Core Components of the AppSec Program?What Are the Success Factors of the AppSec Program?
II. Secure SDLC
16. Building an Application Security Preparation Mindset
Andrew KingMindset: How Can You Prepare? Logging and Monitoring: Do You See What Happened? Scope: Can You Do It All? Best Practices: Can You Borrow from Others’ Experience?
17. How to Assess Security Mindset in Application Design
Anuj Parekh
18. Getting Your Application Ready for the Enterprise
Ayman ElsawahEnterprise Single Sign-On
19. Reductio Ad Applicationem Securitatis
Darryle MerletteReadWriteChange
20. Automating the Risk Calculation of Modern Applications
Erkang ZhengDesign and Business Context Technology Implementation and Operations Maturity of Team and Process
21. A Coordinated Approach to a Successful DevSecOps Program
Han Lievens
22. What Makes Someone a Developer?
Helen Umberger
23. Total AppSec
Hussain Syed
24. You’re More Than Your Job
Izar Tarandach
25. TAP Into the Potential of a Great SSDLC Program with Automation
Jyothi CharyuluThinkActPersevere
26. Vulnerability Researcher to Software Developer: The Other Side of the Coin
Larry W. Cashdollar
27. Strategies for Adding Security Rituals to an Existing SDLC
Laura Bell MainYou Can’t Change What You Don’t UnderstandStart with Experiments, Not SolutionsCreate a Rollout Plan with the Engineering TeamCollaboration Is the Key
28. Challenges and Considerations for Securing Serverless Applications
Manasés Jesús
29. Using Offensive Security to Defend Your Application
Nathaniel ShereHelpful Response MessagesAPI EndpointsAdministrative Features
30. Beyond “No”: The Modern Paradigm of Developer-Centric Application Security
Nielet D’mello
31. Security Paved Roads
Nielet D’melloWhat Are Security Paved Roads?How to Decide What Security Paved Roads Are Needed?Adoption and EffectivenessProduct-Centric Approach and Feedback LoopsConclusion
32. AppSec in the Cloud Era
Sandeep Kumar SinghLearn Shared Responsibility ModelSecure Configurations Continuous Logging and MonitoringData Protection in Multitenant EnvironmentsAdopt Cloud Security ServicesConclusion
33. Code Provenance for DevSecOps
Yashvier Kosaraju
III. Data Security & Privacy
34. Will Passwordless Authentication Save Your Application?
Aldo SalasPasswordless and WebAuthnPasswordless Pros and ConsPasswordless VulnerabilitiesOther Recommendations
35. Securing Your Databases: The Importance of Proper Access Controls and Audits
Dave Stokes
36. DataSecOps: Security in Data Products
Diogo Miyake
37. Data Security Code and Tests
Diogo Miyake
38. Data Security Starts with Good Governance
Lauren Maffeo
39. Protect Sensitive Data in Modern Applications
Louisa WangLearn Key Management Security Needs During the Data Life Cycle VaryDesign and Implement a Combination of Technical and Administrative Controls Insights and Security Recommendations
40. Leverage Data-Flow Analysis in Your Security Practices
Manuel Walder
41. Embracing a Practical Privacy Paradigm Shift in App Development
Maria Nichole SchwengerThe Paradox of Privacy and Innovation in Data SecurityReconceptualizing Data OwnershipLeveraging Privacy-Enhancing TechnologiesTransparency and Informed ConsentData Minimization and Purpose LimitationExploring Decentralized Data StorageData Privacy as a Competitive AdvantageIn a Nutshell
42. Quantum-Safe Encryption Algorithms
Rakesh Kulkarni
43. Application Integration Security
Sausan Yazji
IV. Code Scanning & Testing
44. Modern Approach to Software Composition Analysis: Call Graph and Runtime SCA
Aruneesh SalhotraTraditional Approach to SCAModern Approach to Manage Open Source RisksRuntime SCASummary
45. Application Security Testing
David LindnerStatic Application Security TestingDynamic Application Security TestingInteractive Application Security Testing
46. WAF and RASP
David LindnerWeb Application Firewalls Runtime Application Self-Protection
47. Zero Trust Software Architecture
Jacqueline Pitter
48. Rethinking Ethics in Application Security: Toward a Sustainable Digital Future
Pragat Patel
49. Modern WAF Deployment and Management Paradigms
Raj BadhwarOn Premises WAF Infrastructure for Hybrid Cloud Cloud Native WAF Infrastructure for the Public CloudManaged WAF Services
50. Do You Need Manual Penetration Testing?
Shawn Evans
51. Bash Your Head
Shawn Evans
52. Exploring Application Security Through Static Analysis
Tanya Janca
53. Introduction to CI/CD Pipelines and Associated Risks
Tyler Young
V. Vulnerability Management
54. Demystifying Bug Bounty Programs
Aldo SalasPreparing the Test EnvironmentTesting in ProductionRecommendations
55. EPSS: A Modern Approach to Vulnerability Management
Aruneesh SalhotraTraditional Approaches Are DatedThe World of EPSSKey Aspects of EPSS
56. Navigating the Waters of Vulnerability Management
Luis ArzuUnderstanding the Dynamic LandscapePrioritization: The Art of Decision MakingBuilding Collaborative RelationshipsLeveraging Robust Vulnerability Management SolutionsConclusion
57. Safeguarding the Digital Nexus: “Top 25 Parameters to Vulnerability Frequency”
Lütfü Mert CeylanExploring Vulnerability Categories: A Profound Expedition to Parameter FrequenciesEmpowering with Knowledge: The Path Forward
58. Unveiling Paths to Account Takeover: Web Cache to XSS Exploitation
Lütfü Mert CeylanDiscovery of VulnerabilityBut What Is Reflected XSS Vulnerability?Amplification Through Web Cache ExploitationThe Genesis of Account TakeoverExploiting the Dynamics of Web Cache PoisoningMitigation and Beyond
59. Sometimes the Smallest Risks Can Cause the Greatest Destruction
Lütfü Mert Ceylan
60. Effective Vulnerability Remediation Using EPSS
Reet Kaur
61. Bug Bounty—Shift Everywhere
Sean Poris
VI. Software Supply Chain
62. Integrating Security into Open Source Dependencies
Alyssa ColumbusSelecting Secure Open Source LibrariesAuditing and Hardening Open Source DependenciesStaying Current with Vulnerability Management Making Open Source Security a Priority
63. Supplier Relationship Management to Reduce Software Supply Chain Security Risk
Cassie Crossley
64. Fortifying Open Source AI/ML Libraries: Garden of Security in Software Supply Chain
Chloé MessdaghiDependency Scanning CI/CD for AI and MLSoftware Bill of Materials Auditing and VerificationCommunity Collaboration
65. SBOM: Transparent, Sustainable Compliance
Karen WalshBuilding TransparencyDesigning SustainablyDeveloping CompliantlyThe Future of Secure, Compliant Application Ecosystem
66. Secure the Software Supply Chain Through Transparency
Niels Tanis
67. Unlock the Secrets to Open Source Software Security
Travis FelderInvisible Open Source SoftwareEstablishing an OSS ProgramOpen Source Software Security Pro TipsCommon Open Source Software Security Mistakes to Avoid
68. Leverage SBOMs to Enhance Your SSDLC
Viraj Gandhi
VII. Threat Modeling
69. Learn to Threat Model
Adam Shostack, Matthew Coles, and Izar Tarandach
70. Understanding OWASP Insecure Design and Unmasking Toxic Combinations
Idan PlotnikUnderstand the Implications of Insecure DesignUnmask the “Toxic Combinations” in Application Security
71. The Right Way to Threat Model
Josh Brown
72. Attack Models in SSDLC
Vinay Venkatesh
VIII. Threat Intelligence & Incident Response
73. In Denial of Your Services
Allen West
74. Sifting for Botnets
Allen West
75. Incident Response for Credential Stuffing Attacks
Fayyaz Rajpari
76. Advanced Threat Intelligence Capabilities for Enhanced Application Security Defense
Michael Freeman
IX. Mobile Security
77. Mobile Security: Domain and Best Practices
Aruneesh SalhotraFundamentalsSupercharging Your CI/CD Pipeline with SecurityNavigating Privacy Concerns in Mobile Application Development
78. Mobile Application Security Using Containerization
Reet Kaur
X. API Security
79. API Security: JWE Encryption for Native Data Protection
Andres Andreu
80. APIs Are Windows to the Soul
Brook S.E. SchoenfieldRisksDefensesAccess ManagementInput Validation
81. API Security: The Bedrock of Modern Applications
Charan Akiri
82. API Security Primer: Visibility
Chenxi WangVisibility and Inventory
83. API Security Primer: Risk Assessment, Monitoring, and Detection
Chenxi Wang
84. API Security Primer: Control and Management
Chenxi Wang
XI. AI Security & Automation
85. LLMs Revolutionizing Application Security: Unleashing the Power of AI
Alexander James WoldLLMs and Static Application Security TestingLLMs and Predictive Threat HuntingUnique Advancement: LLMs and Intelligent Security PatchingChallenges and ConsiderationsConclusion
86. Mitigating Bias and Unfairness in AI-Based Applications
Angelica Lo DucaCollaborate with Domain ExpertsImprove Data QualityPerform User Testing
87. Secure Development with Generative AI
Heather Hinton
88. Managing the Risks of ChatGPT Integration
Josh Brown
89. Automation, Automation, and Automation for AppSec
Michael Xin
90. Will Generative and LLM Solve a 20-Year-Old Problem in Application Security?
Neatsun Ziv
91. Understand the Risks of Using AI in Application Development
Yasir AliMain Risk Categories and Recent IncidentsMajor Threat Vectors from LLMKey Risks in the SDLCLegal ConcernsLLM Concerns and Software Supply Chain ImpactIncreased Supply Chain RisksRemediative Controls
XII. IoT & Embedded System Security
92. Secure Code for Embedded Systems
Jason SinchakCodingThird-Party Code
93. Platform Security for Embedded Systems
Jason SinchakMaintaining Data SecuritySecure Firmware UpdatesAttack Surface ReductionSecure Communications
94. Application Identity for Embedded Systems
Jason Sinchak
95. Top Five Hacking Methods for IoT Devices
Manasés JesúsThe Trojan HorseThe Man-in-the-MiddleThe Zero-Day ExploitThe Brute Force AttackThe Denial-of-Service (DoS) Attack
96. Securing IoT Applications
Manasés Jesús
97. Application Security in Cyber–Physical Systems
Yaniv Vardi
About the Editors
Reet KaurYabing Wang
Contributors
Adam ShostackAldo SalasAlexander James WoldAllen WestAlyssa ColumbusAndres AndreuAndrew KingAngelica Lo DucaAnuj ParekhAruneesh SalhotraAyman ElsawahBrook S.E. SchoenfieldCaroline WongCassie CrossleyChadi SalibyCharan AkiriChenxi WangChloé MessdaghiChristian GhigliottyDaniel TingDarryle MerletteDavid LindnerDavid StokesDiogo MiyakeErkang ZhengFayyaz RajpariHan LievensHeather HintonHelen UmbergerHussain SyedIdan PlotnikIzar TarandachJacqueline PitterJason SinchakJosh BrownJyothi CharyuluKaren WalshLarry W. CashdollarLaura Bell MainLauren MaffeoLaxmidhar V. GaopandeLouisa WangLuis ArzuLütfü Mert CeylanManasés JesúsManuel WalderMaria Nichole SchwengerMark S. MerkowMatthew ColesMichael BrayMichael FreemanMichael XinNathaniel ShereNeatsun ZivNielet D’melloNiels TanisPeriklis GkoliasPragat PatelRaj BadhwarRakesh Kulkarni Sandeep Kumar SinghSausan YazjiSean PorisShawn EvansSounil YuTanya JancaTravis FelderTyler YoungVinay VenkateshViraj GandhiYaniv VardiYashvier KosarajuYasir Ali

Content preview from 97 Things Every Application Security Professional Should Know

Chapter 34. Will Passwordless Authentication Save Your Application?

Aldo Salas

Web applications can use a number of different options when it comes to authentication schemes. Without a doubt, and historically, usernames and passwords have been the preferred method of authentication for the last few decades.

The shortcomings of password-based authentication have been discussed at length, and almost every week we keep hearing of a new breach that involved or resulted in a password compromise.

Passwordless and WebAuthn

Thankfully, we now have stronger authentication mechanisms, such as passwordless systems. Specifically for web applications, we now have the Web Authentication (WebAuthn) specification that uses public key cryptography in order to authenticate any given user to a web application. The Fast Identity Online (FIDO) Alliance is the association behind this specification.

WebAuthn allows consumers to use strong authenticators such as security keys, biometrics, and mobile devices to prove their identity. Essentially, WebAuthn is a set of browser-based APIs that allow web applications to authenticate users by using the aforementioned authenticators.

Most modern devices have at least one of these authenticators already built in. For instance, you can use biometrics for mobile devices (fingerprint, face recognition, etc.), Touch ID for MacOS, and Windows Hello on Microsoft devices, to name a few.

These authenticators are phishing-resistant, which means that even if a bad ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

97 Things Every Information Security Professional Should Know

Publisher Resources

ISBN: 9781098152161Errata Page

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design