Freshly Printed - allow 7 days lead
Couldn't load pickup availability
Alice and Bob Learn Secure Coding
"Tanya's book on Secure Coding is a brilliant example of what makes her a great expert and teacher. She takes complex material and makes it human, using clear, direct, and conversational language that sets it apart from most other books on similar topics. Her direct style shows that rather than trying to look smart, she's actually teaching! The book is a welcome inhalation of pure knowledge." "Tanya is a master at breaking down complex technical topics and making them both easily understandable and fun! I wish this book existed when I was first learning cybersecurity, as it's an excellent resource for security fundamentals and principles, important key tips for the most popular programming languages and frameworks, and how to follow a Secure System Development Life Cycle, along with tons of fun anecdotes and examples. Highly recommended for anyone who wants to rapidly learn a ton about secure coding from an industry veteran." "This book is hands-down one of the best resources out there for learning how to write secure code. The author has an incredible talent for breaking down tough security concepts and making them approachable without watering down the details. Each topic is presented in a way that feels thoughtful and intentional, and the examples are where the magic happens—they're clear, relatable, and most importantly, actionable. These aren't just 'nice-to-see' examples; they're the kind of scenarios you'll encounter in real projects, and they teach you exactly how to handle them securely. What sets this book apart is its ability to cater to everyone, from beginners who are just getting their feet wet to experienced professionals looking to level up their skills. It doesn't just teach secure coding—it teaches you how to think about security as part of your coding process, which is invaluable in today's tech landscape. If you've ever struggled to find a resource that connects the dots between theory and practical application, this book does that effortlessly. It's not just about writing code; it's about writing smart, secure code that stands the test of time. Whether you're a developer, a security enthusiast, or just someone who wants to get security right, this book is a must-have. Honestly, it's not just a read—it's a game-changer." "If you're interested in learning about secure coding, this book is for you. Computer science student? Professional software engineer? Product manager for a software product? Executive at a software manufacturer? This is a book you will definitely want to read. Tanya's approach is refreshingly accessible and direct. She immediately addresses popular languages and frameworks before taking an in-depth approach to secure coding practices as they apply to each and every phase in the software development lifecycle. This book is your authoritative guide to secure coding. Learn and enjoy!" "Tanya Janca's latest book is a must-read for developers looking to enhance their secure coding practices. By leading step-by-step and referencing real-world examples, she not only helps developers write stronger, more resilient code but also empowers them to lead by example. This book makes it clear how simple, intentional changes can dramatically reduce vulnerabilities and make it much harder for bad actors to exploit your work." "Alice and Bob Learn Secure Coding is almost as good as having Tanya in your office, chatting with you about application security concepts and details. You'll have a great time reading this book and will learn a lot along the way." "In all matters Security, trust is earned, not given. In this book, Tanya solidifies the trust she earned in her first book, Alice and Bob Learn Application Security, this time as a source of Secure Coding wisdom and knowledge. Teams will be well served from learning the adventures of Alice and Bob as they journey towards more secure code!" "I love how the author gives the big picture and context to secure coding, so the readers can be like Alice and Bob who are also learning the approach, the architecture, the framework, and the right mindset!" "Want to stand out and take your software engineering career to the next level? You'll need to go beyond simply 'making it work' and learn how to write high-quality and secure code. Fortunately, Tanya's unique skill and commitment to breaking down complex information, without sacrificing rich, detailed technical content, will make it easy for you to get started. This is a fantastic book for any software engineer to learn not just why, but HOW to write secure software, a skill that's much desired and highly valued in today's turbulent high-tech world." "I remember attending a working session that Tanya was providing at a conference several years ago. The session was not only technical but included levity and storytelling. This book is an extension of that effective method of teaching and brings the full range of techniques, tools, and processes that are needed to build secure systems. This book is a must-have for anyone who is building or maintaining a secure system." "This book is a modern equivalent of the pragmatic programmer for secure programming, taking you all the way from beginner to journeyman secure developer. It even has Tanya's own tales from the trenches." If you want simple, easy to follow guidance about secure coding, from a verified authority on the subject, this book is for you." "From a CISO's perspective, Alice and Bob Learn Secure Coding is more than just a book—it's a strategic tool for embedding security into the organizational culture and aligning security with value-driven FinOps principles. Like Tanya's other books, this drives transformation, enabling teams to move from reactive to proactive security. It underscores a critical truth: the earlier vulnerabilities are identified and fixed in the development lifecycle, the cheaper and more efficient it is to address them, saving time, conserving resources, and significantly reducing risk. This proactive approach not only mitigates threats but also significantly increases asset value. After all, secure and reliable code is the foundation for every stable system." "Tanya Janca's Alice and Bob Learn Secure Coding is an absolute triumph of technical writing. Building on the charm and accessibility of her first book, Tanya dives deeper into the world of secure coding, tackling one of the most pressing challenges in software development today. What sets this book apart is Tanya's ability to balance technical depth with an engaging and light-hearted tone, making complex concepts approachable for readers across all skill levels. This book is packed with actionable insights, from detailed explanations of common vulnerabilities to practical strategies for avoiding them. Yet, it never feels overwhelming. Tanya's narrative style—peppered with humor and real-world analogies—keeps the subject matter fresh and enjoyable. It's rare to find a technical book that's as fun to read as informative, but Tanya achieves this effortlessly. For seasoned professionals, Alice and Bob Learn Secure Coding offers a comprehensive refresher and new perspectives on evolving threats and solutions. For newcomers, it's a masterclass in the fundamentals of secure coding, presented in a way that's both digestible and inspiring. The book's structure ensures readers can easily navigate and revisit topics as needed, making it a valuable reference for years. In short, this is a must-read for anyone who writes code or works in application security. Tanya Janca has once again proven why she's at the forefront of the industry. Alice and Bob Learn Secure Coding is not just a book—it's an investment in better, safer software for everyone." "Tanya Janca has written a second book in her poignant and informative Alice and Bob series. This time the dynamic duo is learning secure coding. And like its predecessor, there is much wisdom to glean and stuff to learn from her years of experience. This is not the kind of book that you start at the first chapter and read it all the way through. You are going to want to use it as a study guide, to fill in the gaps in your knowledge about secure coding practice and methods. Like her earlier book, she won't divulge much about specific vendor tools, but something more important: how to use the application development platforms and tools to make you a better programmer and one that can identify and fix coding errors before some hacker takes advantage of your mistakes and messes up your workday by compromising your systems and stealing your data. Each chapter ends with a series of exercises to test your retention of what she explains and highlights some common misconceptions of the content. Some of them reflect her wicked sense of humor — such as 'how often should you authenticate to an SSO — only once, unless you have done a really bad job!' And each section has an end-of-section summary about best practices. If many of them are unfamiliar to you, then take the time to read those chapters and take careful notes about how you can implement her suggestions. Indeed, a good way to browse this book is to carefully read these summaries and see if you need to bone on these techniques. Like the first book in this series, I highly recommend this one for both beginners and experienced coders alike." "Tanya ensures the book delivers exceptional value for software developers across experience levels, from students to seasoned engineers. Its methodical approach to secure coding fundamentals, combined with language-specific implementations, makes it particularly valuable for: The book's greatest strength lies in bridging theoretical security concepts with practical development scenarios. While more comprehensive code examples would enhance its utility, the current content provides a solid foundation for secure coding practices. Highly recommended for software engineering teams and computer science programs looking to establish robust security mindsets."
—DANIEL MIESSLER, Founder of Unsupervised Learning
—CLINT GIBLER, Head of Security Research at Semgrep and Founder of tl;dr sec
—VANDANA VERMA, Security Relations Leader, Founder of InfoSec Girls & InfoSec Kids, OWASP BoD and Leader
—CAROLINE WONG, Author & Cybersecurity Expert Practitioner
—GARY PERKINS, CISO
—ADAM SHOSTACK, Security Trainer, Author, Speaker, Threat Modeling expert
—IZAR TARANDACH, author of Threat Modeling: A Practical Guide for Development Teams
—YABING WANG, VP & CISO, Justworks
—DUSTIN LEHR, Co-founder, CPTO of Katilyst Security, Founder of Let's talk Software Security, and author of the Security Champion Program Success Guide
—DEREK FISHER, Founder, Securely Built
—SHANE MURNION, Application Security Specialist
—TED HARRINGTON, #1 bestselling author, co-founder of both IoT Village and StartVRM, and Executive Partner at ISE
—RAJAT RAVINDER VARUNI, CISO, SuccessKPI
—FRANCESCO CIPOLLONE, CEO & Founder @ Phoenix Security
—DAVID STROM, freelance writer and author of two computer books thousands of magazine articles about technology
—NIELET D'MELLO, Security Engineer
"Tanya's Alice and Bob Learn Secure Coding will give you a head start on learning about secure coding practices. It covers all the fundamentals a developer needs to know. Practicing the information in this book will allow you to start developing the experience needed to become a secure coder. I go over all this stuff with my devs."
—RAY LEBLANC, Application Security Architect & Engineer
Tanya Janca (Author)
9781394171705, Wiley
Paperback / softback, published 13 February 2025
416 pages
22.9 x 18 x 1.5 cm, 0.59 kg
Unlock the power of secure coding with this straightforward and approachable guide! Discover a game-changing resource that caters to developers of all levels with Alice and Bob Learn Secure Coding. With a refreshing approach, the book offers analogies, stories of the characters Alice and Bob, real-life examples, technical explanations and diagrams to break down intricate security concepts into digestible insights that you can apply right away. Explore secure coding in popular languages like Python, Java, JavaScript, and more, while gaining expertise in safeguarding frameworks such as Angular, .Net, and React. Uncover the secrets to combatting vulnerabilities by securing your code from the ground up! Topics include: Alice and Bob Learn Secure Coding illustrates all the included concepts with easy-to-understand examples and concrete practical applications, furthering the reader’s ability to grasp and retain the foundational and advanced topics contained within. Don't miss this opportunity to strengthen your knowledge; let Alice and Bob guide you to a secure and successful coding future.
Alice and Bob Learn Secure Coding is designed for a diverse audience, including software developers of all levels, budding security engineers, software architects, and application security professionals. Immerse yourself in practical examples and concrete applications that will deepen your understanding and retention of critical security principles.
Foreword xxvii Introduction xxix Part I General Advice 1 Chapter 1 Introductory Security Fundamentals 3 Assume All Other Systems and Data Are Insecure 3 The CIA Triad 4 Least Privilege 6 Secure Defaults/Paved Roads 8 Assume Breach / Plan For Failure 9 Zero Trust 9 Defense in Depth 10 Supply Chain Security 10 Security by Obscurity 11 Attack Surface Reduction 11 Usable Security 12 Fail Closed/Safe, Then Roll Back 12 Compliance, Laws, and Regulations 12 Security Frameworks 14 Learning from Mistakes and Sharing Those Lessons 16 Backward Compatibility (and Potential Risks It Introduces) 16 Threat Modeling 16 The Difficulty of Patching 17 Retesting Fixes for New Security Bugs 18 Chapter Exercises 19 Chapter 2 Beginning 21 Follow a Secure System Development Life Cycle 21 Use a Modern Framework and All Available Security Features Within 22 Input Validation 23 Output Encoding 26 Examples of Output Encoding 27 HTML Context 28 JavaScript Context 28 Parameterized Queries and ORMs 29 Authentication and Identity 31 Authorization and Access Control 32 Access Control Models 33 Logical Access Control Methods (Implementation) 34 Session Management 34 Secret Management 35 Password Management 37 Communication Security (Cryptography and HTTPS Only) 39 Protecting Sensitive Data 40 Security Headers 43 New Security Header Features 43 Fetch Metadata Request Headers 43 Content Security Policy Header 44 Strict-Dynamic 44 Trusted-Types 44 Security Headers Previously Covered 44 Content-Security-Policy Header 45 HTTP Strict-Transport-Security 45 X-Frame-Options 45 X-Content-Type-Options 45 Permissions Policy 46 Expect-CT 46 Referrer-Policy 46 Public Key Pinning Extension for HTTP (HPKP) 46 X-XSS-Protection 46 More New Headers 46 Same-Origin Policy 47 COEP: Cross-Origin Embedder Policy 47 COOP: Cross-Origin Opener Policy 48 CORP: Cross-Origin Resource Policy 48 CORS: Cross-Origin Resource Sharing 48 CORB: Cross-Origin Read Blocking 49 Secure Cookies 50 Error Handling 51 Chapter Exercises 52 Chapter 3 Improving 55 Database Security 56 Four Perspectives for Protecting Databases 56 File Management 59 File Uploads 61 Your Source Code 62 Memory Management (Buffer, Stack, String, and Integer Overflows) 63 How Do We Avoid Overflows? 64 (De)Serialization 66 Privacy (User/Citizen/Customer/Employee) 67 Errors 69 Logging, Monitoring, and Alerting 72 Fail Closed 73 Locking Resources 73 Enabling Password Managers 74 Cryptographic Practices 75 Strongly Typed Languages 76 Strongly Typed Languages 76 Weakly Typed Programming Languages 77 Domain-Driven Development 78 Memory-Safe Languages 79 Chapter Exercises 80 Chapter 4 Achieving 81 Secure Design 82 How much is “enough” (design) security? 84 Dependency Management and Supply Chain Security 85 Dependency Security 86 Checking If Dependencies Are Safe to Use 87 Supply Chain Security 87 Secure Defaults 90 Secure Defaults for Users 90 Secure Defaults for Developers 92 Readable and Auditable Code 93 Important Functions Happen on Trusted Systems 96 What Is an “Untrusted” System? 96 What Are “Important Functions”? 97 Putting It Together 97 Allowlists versus Blocklists 97 Why Are Block Lists Bad? 98 How Do We Create an Allowlist? 98 Secure Configurations 99 Hostname Validation 100 Reusable Code 100 Safe System Calls 102 Mitigating Circumstances 102 Commenting and Other Documentation 102 Comments 103 Documentation 104 Verification of User Consent 106 Integrity Checks, Code Signing, and Immutable Builds 107 Immutable Builds 108 Avoiding Brute Force 109 Security Controls 110 Handling Elevated Privileges 111 Security Maintenance 112 Repaying Technical Debt 113 Chapter Exercises 114 Summary of Part I 117 Checklist of General Secure Coding Advice 117 Part II Specific Advice 125 Chapter 5 Technology-Specific 127 API Security Best Practices 127 Mobile Application Security Best Practices 134 WebSocket Security Best Practices 137 Serverless Security Best Practices 138 IoT Security Best Practices 140 Chapter Exercises 141 Chapter 6 Popular Programming Languages 143 JavaScript 143 Html/css 148 HTML5, Specifically 149 Python 151 Sql 154 Node.js 157 Java 160 Serialization in Java 164 TypeScript 165 C# 166 Php 170 C/c++ 175 Conclusion 178 Chapter Exercises 179 Chapter 7 Popular Frameworks 181 Web and JavaScript 181 Express 182 React.js 184 Angular 186 jQuery 190 Vue.js 192 Other Frameworks and Libraries 194 .NET (Core) 194 Ruby on Rails 199 Spring and Spring Boot 204 Flask 207 Chapter Exercises 210 Chapter 8 Vulnerability Categories 211 Design Flaws / Logic Flaws 212 How Does This Happen? 213 The Risk 213 Prevention 214 Code Bugs / Implementation Errors 215 How Does This Happen? 215 The Risk 215 Prevention 215 Overflows and Other Memory Issues 216 Overflows 216 Buffer Overreads 217 Invalid Page Faults 217 Use After Free 218 Uninitialized Variables 218 Memory Leaks 218 How Does This Happen? 219 The Risk 219 Prevention 219 Injection: Interpreter and Compiler Issues 220 How Does This Happen? 221 The Risk 221 Prevention 221 Input Issues 222 How Does This Happen? 223 The Risk 223 Prevention 223 Authentication and Identity Issues 223 How Does This Happen? 224 The Risk 224 Prevention 224 Authorization and Access Issues 225 How Does This Happen? 225 Configuration and Implementation Issues 225 How Does This Happen? 226 The Risk 226 Prevention 226 Fraudulent Transactions 227 How Does This Happen? 227 The Risk 227 Prevention 228 Replay Attacks 228 How Does This Happen? 228 The Risk 229 Prevention 229 Crossing Trust Boundaries 229 How Does This Happen? 230 The Risk 230 Prevention 230 File Handling Issues 230 How Does This Happen? 231 The Risk 231 Prevention 231 Object Handling Issues 232 Prominent Features of OOP 232 Deserialization and Other Object Handling Issues 234 How Does This Happen? 234 The Risk 234 Prevention 234 Secrets Management Issues 235 How Does This Happen? 236 The Risk 236 Prevention 236 Race Conditions and Timing Issues 237 How Does This Happen? 237 The Risk 238 Prevention 238 Resource Issues 240 How Does This Happen? 240 The Risk 241 Prevention 241 Falling into an Unknown State 241 How Does This Happen? 242 The Risk 242 Prevention 242 Chapter Exercises 243 Summary of Part II 245 Checklist of Technology-Specific Secure Coding Advice 245 Checklist of Secure Coding Advice for Languages and Frameworks 246 Summary of Vulnerability Issues to Watch For 248 Part III Secure System Development Life Cycle 251 Chapter 9 Requirements 253 Project Kick-Off: Outline of Your Project’s Security Activities 253 Project Scheduling and Planning 254 Security Requirements 255 Chapter Exercises 257 Chapter 10 Design 259 Threat Modeling 260 Secure Design Patterns and Concepts 262 Architecture Whiteboarding 263 Examining Data Flows 263 Security User Stories 264 Chapter Exercises 265 Chapter 11 Coding 267 Training 267 Organizations 269 Individuals 270 Code Review 270 First- and Second-Generation Static Analysis Tools 271 Secure Guardrails 272 IDE Plugins and Other Guidance 273 Verifying That Your Dependencies Are Safe (SCA) 274 How Do You Decide Which Dependencies Are Worth Updating or Changing? 274 Finding and Managing Secrets 275 Dynamic Testing (DAST) 276 Chapter Exercises 278 Chapter 12 Testing 279 Test Coverage and Timing 280 Depth Versus Coverage 281 Scanning Your Infrastructure 281 Production or Lower-Level Environments 281 Scoping 282 Timing 282 Manual Testing 284 Automated Testing 286 Fuzzing 287 Interactive Application Security Testing (IAST) 288 Bug Bounty Programs 289 Test Results 290 Actioning Test Results 291 Final Thoughts 293 Chapter Exercises 293 Chapter 13 Release/Deployment 295 Security Events Within the CI/CD 296 Breaking the Build 297 Secret Scanning 298 Static Analysis 298 Dynamic Analysis 298 Software Composition Analysis 299 Linting 299 Infrastructure as Code scanners 299 Securing the CI/CD Pipeline Itself 299 Assuring the Integrity of Your Release 302 Security Release Approval 303 Chapter Exercises 304 Chapter 14 Maintenance 305 Monitoring, Alerting, and Observability 306 Blocking/Shielding 308 Web Application Firewalls (WAFs) 309 Content Delivery Networks (CDNs) 309 Runtime Application Self-Protection (RASP) 310 Virtual Patching 310 API Gateways 310 A Special Note for Data Scientists 311 Continuous Testing 312 Security Incidents 313 Business Continuity and Disaster Recovery Planning 315 Chapter Exercises 317 Chapter 15 Conclusion 319 Good Habits 319 Your Responsibility 322 How Much Is Enough? 323 Using Artificial Intelligence Safely 325 Continuous Learning 327 Becoming a Champion 328 Getting Others on Board 330 Transitioning onto the Security Team 330 Applying for Security Jobs Outside of Your Organization 331 Conclusion 335 Summary of Part III 339 Checklist of Security Activities for Each Phase of the SDLC 339 Appendix A Resources 343 Chapter 1: Introductory Security Fundamentals 343 Chapter 2: Beginning 344 Chapter 3: Improving 345 Chapter 4: Achieving 347 Chapter 5: Technology-Specific 349 Chapter 6: Popular Programming Languages 351 Chapter 7: Popular Frameworks 355 Chapter 8: Vulnerability Categories 357 Chapter 10: Design 359 Chapter 11: Coding 359 Chapter 12: Testing 359 Chapter 13: Release/Deployment 360 Chapter 14: Maintenance 360 Appendix B Answer Keys 361 Chapter 1: Introductory Security Fundamentals 361 Chapter 2: Beginning 363 Chapter 3: Improving 364 Chapter 4: Achieving 365 Chapter 5: Technology-Specific 368 Chapter 8: Vulnerability Categories 370 Chapter 9: Requirements 371 Chapter 11: Coding 372 Chapter 12: Testing 373 Chapter 13: Release/Deployment 374 Chapter 14: Maintenance 375 Index 377
Subject Areas: Computer science [UY]
