Fundamentals of Secure Software

Fundamentals of Secure Software

by Derek Fisher
Released December 2022
Publisher(s): Packt Publishing
ISBN: 9781837636815

Read it now on the O’Reilly learning platform with a 10-day free trial.

O’Reilly members get unlimited access to books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Video description

Application security describes security measures at the application level that aim to prevent data or code within the app from being stolen or hijacked. It may include hardware, software, and procedures that identify or minimize security vulnerabilities. Web application security is the process of securing websites, web applications, and other internet-based services from cyber-attacks, breaches, and security threats that leverage loopholes, misconfigurations, and vulnerabilities in these applications or their codes.

This course will familiarize you with the common vulnerabilities that plague developed code as outlined in publications such as the OWASP Top 10 and SANS Top 25. You will understand what type of development behaviors lead to vulnerabilities and how to avoid those behaviors when creating secure code. You will learn how to perform a threat model on development features to understand what threats could impact your code, where they come from, and how to mitigate them.

You will also review and operate analysis tools that are available to developers in order to analyze their code and discover vulnerabilities, allowing you to correct them early in the development lifecycle.

Finally, you will understand how application security fits in an overall cybersecurity program.

By the end of this course, you will have learned the basic fundamentals, best practices and tools to be used for application security.

What You Will Learn

  • Explore OWASP Top 10 and defend against those vulnerabilities
  • Learn to perform a threat model on an application
  • Perform a vulnerability scan of an application
  • Understand how to correct common security vulnerabilities in code
  • See how application security fits in an overall cybersecurity program
  • Build security into the software development lifecycle

Audience

This course is ideal for software developers interested in developing more secure software, security practitioners, software and security engineering leaders, and cyber security professionals.

This course is best for intermediate-level professionals and for someone with a basic understanding of IT security and programming.

Basic programming knowledge and understanding of IT systems and how software is deployed in operational environments would help you grasp the concepts readily.

About The Author

Derek Fisher: Derek Fisher is a leader, speaker, author, and instructor in cybersecurity. He has several decades of experience in designing systems in both hardware and software and holds a graduate degree in cybersecurity from Boston University. He continues to work professionally as a leader, university instructor, and conference speaker in the security space where he provides his insight into multiple fields and disciplines.

Table of contents

  1. Chapter 1 : Introduction to the Course
    1. Introduction to Application Security
    2. Application Security Terms and Definitions
    3. Application Security Goals
    4. OWASP WebGoat Demo
  2. Chapter 2 : Introduction to OWASP Top 10 and More Items
    1. Introduction to OWASP Top 10
    2. SANS Top 25
    3. Threat Actors and More Definitions
    4. Defense In-Depth
    5. Proxy Tools
    6. Demo of Fiddler with JuiceShop
    7. API Security
  3. Chapter 3 : Dive into the OWASP Top 10
    1. Broken Access Control
    2. Cryptographic Failures
    3. Injection
    4. Insecure Design
    5. Security Misconfiguration
    6. Vulnerable and Outdated Components
    7. Identification and Authentication Failures
    8. Software and Data Integrity Failures
    9. Security Logging and Monitoring Failures
    10. Server-Side Request Forgery
  4. Chapter 4 : Defenses and Tools
    1. OWASP ZAP (Zed Attack Proxy)
    2. Running a ZAP Scan
    3. Cross-Site Scripting
    4. CSP (Content Security Policy)
    5. CSP Demo
    6. Security Models
    7. Scanning for OSS Vulnerabilities with Software Composition Analysis
    8. SKF (Security Knowledge Framework)
    9. SKF Demo
    10. SKF Labs Demo
    11. Source Code Review
  5. Chapter 5 : Session Management
    1. Introduction to Session Management
    2. Web Sessions
    3. JWT (JSON Web Token)
    4. JWT Example
    5. OAuth
    6. OpenID and OpenID Connect
  6. Chapter 6 : Risk Rating and Threat Modeling
    1. Risk Rating Introduction
    2. Risk Rating Demo
    3. Introduction to Threat Modeling
    4. Type of Threat Modeling
    5. Introduction to Manual Threat Modeling
    6. Manual Threat Model demo
    7. Prepping for Microsoft Threat Model Tool
    8. Microsoft Threat Model Tool demo
  7. Chapter 7 : Encryption and Hashing
    1. Encryption Overview
    2. Encryption Use Cases
    3. Hashing Overview
    4. Hashing Demo
    5. PKI (Public Key Infrastructure)
    6. Password Management
    7. Password Demo
  8. Chapter 8 : Frameworks and Process
    1. HIPAA (Health Insurance Portability and Accountability Act)
    2. PCI DSS (Payment Card Industry Data Security Standard)
    3. DevOps
    4. DevSecOps
    5. Use, Abuse, and Misuse cases
  9. Chapter 9 : Security Scanning and Testing
    1. SAST (Static Application Security Testing)
    2. Spot Bugs Demo
    3. DAST (Dynamic Application Security Testing)
    4. IAST (Interactive Application Security Testing)
    5. RASP (Runtime Application Self-Protection)
    6. WAF (Web Application Firewall)
    7. Penetration Testing
    8. SCA (Software Composition Analysis)
  10. Chapter 10 : Conclusion
    1. Conclusion

Product information

  • Title: Fundamentals of Secure Software
  • Author(s): Derek Fisher
  • Release date: December 2022
  • Publisher(s): Packt Publishing
  • ISBN: 9781837636815