Stop dangerous threats and secure your vulnerabilities without slowing down delivery. This practical book is a one-stop guide to implementing a robust application security program.
In the Application Security Program Handbook you will learn:
• Why application security is so important to modern software
• Application security tools you can use throughout the development lifecycle
• Creating threat models
• Rating discovered risks
• Gap analysis on security tools
• Mitigating web application vulnerabilities
• Creating a DevSecOps pipeline
• Application security as a service model
• Reporting structures that highlight the value of application security
• Creating a software security ecosystem that benefits development
• Setting up your program for continuous improvement
The Application Security Program Handbook teaches you to implement a robust program of security throughout your development process. It goes well beyond the basics, detailing flexible security fundamentals that can adapt and evolve to new and emerging threats. Its service-oriented approach is perfectly suited to the fast pace of modern development. Your team will quickly switch from viewing security as a chore to an essential part of their daily work. Follow the expert advice in this guide and you’ll reliably deliver software that is free from security defects and critical vulnerabilities.
About the technology
Application security is much more than a protective layer bolted onto your code. Real security requires coordinating practices, people, tools, technology, and processes throughout the life cycle of a software product. This book provides a reproducible, step-by-step road map to building a successful application security program.
About the book
The Application Security Program Handbook delivers effective guidance on establishing and maturing a comprehensive software security plan. In it, you’ll master techniques for assessing your current application security, determining whether vendor tools are delivering what you need, and modeling risks and threats. As you go, you’ll learn both how to secure a software application end to end and also how to build a rock-solid process to keep it safe.
What's inside
• Application security tools for the whole development life cycle
• Finding and fixing web application vulnerabilities
• Creating a DevSecOps pipeline
• Setting up your security program for continuous improvement
About the reader
For software developers, architects, team leaders, and project managers.
About the author
Derek Fisher has been working in application security for over a decade, where he has seen numerous security successes and failures firsthand.
Author(s): Derek Fisher
Edition: 1
Publisher: Manning Publications
Year: 2022
Language: English
Commentary: Publisher's PDF
Pages: 296
City: Shelter Island, NY
Tags: DevOps; Security; Penetration Testing; Key Performance Indicators; Risk Assessment; Risk Management; Application Development; Vulnerability Scanning; Bug Bounty; Threat Models; Availability; DevSecOps; MITRE ATT&CK; Authentication; Confidentiality; Integrity; OWASP SAMM
Application Security Program Handbook
brief contents
contents
foreword
preface
acknowledgments
about this book
Who should read this book
How this book is organized: A road map
Defining application security
Developing the application security program
Deliver and measure
liveBook discussion forum
about the author
about the cover illustration
Part 1: Defining application security
Chapter 1: Why do we need application security?
1.1 The role of an application security program
1.1.1 Software from concept to production
1.1.2 Where does application security fit?
1.2 The current state of application security
1.3 Why building security in is challenging
1.3.1 Trying to protect at runtime
1.3.2 Getting output from tools is not enough
1.3.3 Sifting signal from noise in security tools
1.4 Shifting right vs. shifting left in development
1.4.1 Shifting right in the development life cycle
1.4.2 Shifting right fails
1.4.3 Shifting left in the development life cycle
1.4.4 Shifting left fails
1.5 Is going left better than going right?
1.6 Application security needs you!
1.6.1 Democratizing application security
1.6.2 Users will be users
1.7 Examples of failing to secure the software
1.7.1 SolarWinds
1.7.2 Accellion
1.7.3 Fake software
Chapter 2: Defining the problem
2.1 The CIA triad
2.2 Confidentiality
2.2.1 Data protection policy
2.2.2 Data at rest
2.2.3 Applying encryption
2.2.4 Data in transit
2.2.5 Encryption prior to transmission
2.2.6 Data in use
2.2.7 Not so confidential
2.2.8 Do I even need this?
2.3 Availability
2.3.1 DoS and DDoS
2.3.2 Accidental outage
2.3.3 The role of ransomware
2.3.4 Casino betting offline
2.3.5 Health organizations are still fair game
2.3.6 Building in resiliency
2.4 Integrity
2.4.1 Integrity starts with access
2.4.2 The role of version control
2.4.3 Data validation
2.4.4 Data replication
2.4.5 Data checks
2.5 Authentication and authorization
2.5.1 Authentication
2.5.2 Authorization
2.6 Adversaries
2.6.1 Script kiddies
2.6.2 Insider
2.6.3 Cybercriminal
2.6.4 Hacktivist and terrorist
2.6.5 Advanced persistent threat
2.6.6 Why do we care?
2.7 Measuring risk
2.7.1 Remediate, mitigate, accept
2.7.2 Identify the risk
2.7.3 Estimating likelihood
2.7.4 Estimating impact
2.7.5 Risk severity
2.7.6 Risk example
2.7.7 Other methodologies
Chapter 3: Components of application security
3.1 Threat modeling
3.1.1 Basic threat modeling terminology
3.1.2 Manual threat modeling
3.1.3 Starting the manual process
3.1.4 Threat modeling with linking bank accounts
3.1.5 What to do with the found threats
3.1.6 Threat modeling using a tool
3.2 Security analysis tools
3.2.1 Static application security testing
3.2.2 Tools in the development environment
3.2.3 Dynamic application security testing
3.2.4 Software composition analysis
3.3 Penetration testing
3.4 Run-time protection tools
3.5 Vulnerability collection and prioritization
3.5.1 Integrating with defect tracking
3.5.2 Prioritizing vulnerabilities
3.5.3 Closing vulnerabilities
3.6 Bug bounty and vulnerability disclosure program
3.6.1 Vulnerability disclosure program
3.6.2 Bug bounty program
3.6.3 Third-party help with vulnerabilities
3.7 Putting it together
Part 2: Developing the application security program
Chapter 4: Releasing secure code
4.1 Security in DevOps
4.1.1 DevOps pipelines
4.2 DevOps isn’t the only game in town
4.2.1 Waterfall
4.2.2 Agile
4.2.3 Lean
4.2.4 DevOps supports security better
4.2.5 DevSecOps example
4.3 Application security tooling in the pipeline
4.3.1 Threat modeling in DevSecOps
4.3.2 SAST in DevSecOps
4.3.3 DAST and IAST in DevSecOps
4.3.4 SCA in DevSecOps
4.3.5 Run-time protection in DevSecOps
4.3.6 Security orchestration
4.3.7 Security education
4.4 Feedback loop
Chapter 5: Security belongs to ever yone
5.1 Security is everyone’s problem
5.1.1 Structure of an application security team
5.1.2 Just hire more application security people
5.1.3 How to close the gap
5.2 Security education
5.2.1 Raising the security IQ
5.2.2 Microlearning and just-in-time training
5.2.3 It’s more than just training
5.3 Standards, requirements, and reference architecture
5.3.1 Creating and driving standards
5.3.2 Creating reference architecture
5.3.3 Bringing requirements into the organization
5.4 Maturity models
5.4.1 OWASP SAMM
5.4.2 Building Security in Maturity Model
5.4.3 Addressing your security immaturity
5.5 Decentralized application security
5.5.1 Security champions program
5.5.2 Leveraging the decentralized model
Chapter 6: Application security as a service
6.1 Managing risk during development
6.1.1 Defining and reducing risk
6.1.2 Define the application risk
6.1.3 Release-by-risk
6.2 Enablement instead of gates
6.2.1 Automate the release-by-risk
6.2.2 Removing the barriers by adding guardrails
6.3 Bridging engineering and security through services
6.3.1 The application security-as-a-service ecosystem
6.3.2 Services requested through tickets
6.3.3 Ambient application security
Part 3: Deliver and measure
Chapter 7: Building a roadmap
7.1 Getting the current security posture
7.1.1 Going on tour
7.1.2 What tools exist?
7.1.3 What vulnerabilities do you have?
7.1.4 What additional information is available?
7.2 Understanding the organization’s security goals
7.2.1 The organization’s goals
7.2.2 The application security goals
7.2.3 Aligning the business and security goals
7.3 Identifying the gaps
7.3.1 Finding the immediate gaps
7.3.2 Input into the gap analysis
7.3.3 What to do with the gap analysis
7.4 Sample application security roadmap
7.4.1 Secure engineering education
7.4.2 Educating the application security team
7.4.3 Application security tools roadmap
7.4.4 Aligning engineering and security roadmaps
7.4.5 Building for the future
Chapter 8: Measuring success
8.1 What to measure
8.1.1 Measuring the effectiveness of your tools
8.1.2 Tuning the tools based on feedback
8.1.3 Measuring the effectiveness of your processes
8.1.4 Measuring the mean time to remediate
8.1.5 Optimizing the mean time to remediate
8.2 Gathering effectiveness with KPIs
8.2.1 Building the KPIs
8.2.2 Setting KPI targets
8.2.3 Driving change based on KPIs
8.3 Getting feedback
8.3.1 Getting feedback from conversations
8.3.2 Getting feedback from surveys
8.4 Security scorecard
8.4.1 Preparing for the scorecard
8.4.2 Weighting the scores for the scorecard
8.4.3 Creating the scorecard
Chapter 9: Continuously improving the program
9.1 Keeping ahead of the attacker
9.1.1 MITRE ATT&CK
9.1.2 Cyber Kill Chain
9.2 Threat catalogs
9.2.1 Applying the OWASP Top Ten
9.2.2 Applying the MITRE CWE Top 25
9.3 Staying ahead of engineering
9.3.1 Keeping up with the coding languages
9.3.2 Keeping up with the technology changes
9.3.3 When hiring and training aren’t enough
9.4 Stop chasing the shiny new tool
9.4.1 Use a capability matrix
9.4.2 Managing the tool and vendor
9.4.3 Buy the shiny new tool
9.5 Preparing for the worst
appendix: Answers to exercises
Chapter 1
EXERCISE 1.1
EXERCISE 1.2
EXERCISE 1.3
Chapter 2
EXERCISE 2.1
EXERCISE 2.2
Chapter 3
EXERCISE 3.1
EXERCISE 3.2
EXERCISE 3.3
EXERCISE 3.4
Chapter 5
EXERCISE 5.1
EXERCISE 5.2
EXERCISE 5.3
Chapter 6
EXERCISE 6.1
EXERCISE 6.2
Chapter 7
EXERCISE 7.1
Chapter 8
EXERCISE 8.1
EXERCISE 8.2
EXERCISE 8.3
index
A
B
C
D
E
F
G
H
I
J
K
L
M
N
O
P
Q
R
S
T
V
W
X
