{"product_id":"alice-and-bob-learn-secure-coding-paperback-softback-9781394171705","title":"Alice and Bob Learn Secure Coding (Paperback \/ softback) 9781394171705","description":"\u003cfont face=\"Georgia\"\u003e\r\n\u003cp\u003e\u003cfont size=\"6\"\u003eAlice and Bob Learn Secure Coding\u003c\/font\u003e\u003cbr\u003e\r\n\r\n\r\n\u003c\/p\u003e\n\u003cp\u003e\u003cem\u003e\u003cp\u003e\"Tanya's book on Secure Coding is a brilliant example of what makes her a great expert and teacher. She takes complex material and makes it human, using clear, direct, and conversational language that sets it apart from most other books on similar topics. Her direct style shows that rather than trying to look smart, she's actually teaching! The book is a welcome inhalation of pure knowledge.\"\u003cbr\u003e—\u003cb\u003eDANIEL MIESSLER, Founder of Unsupervised Learning\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003e\"Tanya is a master at breaking down complex technical topics and making them both easily understandable and fun! I wish this book existed when I was first learning cybersecurity, as it's an excellent resource for security fundamentals and principles, important key tips for the most popular programming languages and frameworks, and how to follow a Secure System Development Life Cycle, along with tons of fun anecdotes and examples. Highly recommended for anyone who wants to rapidly learn a ton about secure coding from an industry veteran.\"\u003cbr\u003e—\u003cb\u003eCLINT GIBLER, Head of Security Research at Semgrep and Founder of tl;dr sec\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003e\"This book is hands-down one of the best resources out there for learning how to write secure code. The author has an incredible talent for breaking down tough security concepts and making them approachable without watering down the details. Each topic is presented in a way that feels thoughtful and intentional, and the examples are where the magic happens—they're clear, relatable, and most importantly, actionable. These aren't just 'nice-to-see' examples; they're the kind of scenarios you'll encounter in real projects, and they teach you exactly how to handle them securely.\u003c\/p\u003e \u003cp\u003eWhat sets this book apart is its ability to cater to everyone, from beginners who are just getting their feet wet to experienced professionals looking to level up their skills. It doesn't just teach secure coding—it teaches you how to think about security as part of your coding process, which is invaluable in today's tech landscape.\u003c\/p\u003e \u003cp\u003eIf you've ever struggled to find a resource that connects the dots between theory and practical application, this book does that effortlessly. It's not just about writing code; it's about writing smart, secure code that stands the test of time. Whether you're a developer, a security enthusiast, or just someone who wants to get security right, this book is a must-have. Honestly, it's not just a read—it's a game-changer.\"\u003cbr\u003e—\u003cb\u003eVANDANA VERMA, Security Relations Leader, Founder of InfoSec Girls \u0026amp; InfoSec Kids, OWASP BoD and Leader\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003e\"If you're interested in learning about secure coding, this book is for you. Computer science student? Professional software engineer? Product manager for a software product? Executive at a software manufacturer? This is a book you will definitely want to read. Tanya's approach is refreshingly accessible and direct. She immediately addresses popular languages and frameworks before taking an in-depth approach to secure coding practices as they apply to each and every phase in the software development lifecycle. This book is your authoritative guide to secure coding. Learn and enjoy!\"\u003cbr\u003e—\u003cb\u003eCAROLINE WONG, Author \u0026amp; Cybersecurity Expert Practitioner\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003e\"Tanya Janca's latest book is a must-read for developers looking to enhance their secure coding practices. By leading step-by-step and referencing real-world examples, she not only helps developers write stronger, more resilient code but also empowers them to lead by example. This book makes it clear how simple, intentional changes can dramatically reduce vulnerabilities and make it much harder for bad actors to exploit your work.\"\u003cbr\u003e—\u003cb\u003eGARY PERKINS, CISO\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003e\"\u003ci\u003eAlice and Bob Learn Secure Coding\u003c\/i\u003e is almost as good as having Tanya in your office, chatting with you about application security concepts and details. You'll have a great time reading this book and will learn a lot along the way.\"\u003cbr\u003e—\u003cb\u003eADAM SHOSTACK, Security Trainer, Author, Speaker, Threat Modeling expert\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003e\"In all matters Security, trust is earned, not given. In this book, Tanya solidifies the trust she earned in her first book, \u003ci\u003eAlice and Bob Learn Application Security\u003c\/i\u003e, this time as a source of Secure Coding wisdom and knowledge. Teams will be well served from learning the adventures of Alice and Bob as they journey towards more secure code!\"\u003cbr\u003e—\u003cb\u003eIZAR TARANDACH, author of \u003ci\u003eThreat Modeling: A Practical Guide for Development Teams\u003c\/i\u003e\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003e\"I love how the author gives the big picture and context to secure coding, so the readers can be like Alice and Bob who are also learning the approach, the architecture, the framework, and the right mindset!\"\u003cbr\u003e—\u003cb\u003eYABING WANG, VP \u0026amp; CISO, Justworks\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003e\"Want to stand out and take your software engineering career to the next level? You'll need to go beyond simply 'making it work' and learn how to write high-quality and secure code. Fortunately, Tanya's unique skill and commitment to breaking down complex information, without sacrificing rich, detailed technical content, will make it easy for you to get started.  This is a fantastic book for any software engineer to learn not just why, but HOW to write secure software, a skill that's much desired and highly valued in today's turbulent high-tech world.\"\u003cbr\u003e—\u003cb\u003eDUSTIN LEHR, Co-founder, CPTO of Katilyst Security, Founder of Let's talk Software Security, and author of the \u003ci\u003eSecurity Champion Program Success Guide\u003c\/i\u003e\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003e\"I remember attending a working session that Tanya was providing at a conference several years ago. The session was not only technical but included levity and storytelling. This book is an extension of that effective method of teaching and brings the full range of techniques, tools, and processes that are needed to build secure systems. This book is a must-have for anyone who is building or maintaining a secure system.\"\u003cbr\u003e—\u003cb\u003eDEREK FISHER, Founder, Securely Built\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003e\"This book is a modern equivalent of the pragmatic programmer for secure programming, taking you all the way from beginner to journeyman secure developer. It even has Tanya's own tales from the trenches.\"\u003cbr\u003e—\u003cb\u003eSHANE MURNION, Application Security Specialist\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eIf you want simple, easy to follow guidance about secure coding, from a verified authority on the subject, this book is for you.\"\u003cbr\u003e—\u003cb\u003eTED HARRINGTON, #1 bestselling author, co-founder of both IoT Village and StartVRM, and Executive Partner at ISE\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003e\"From a CISO's perspective, \u003ci\u003eAlice and Bob Learn Secure Coding\u003c\/i\u003e is more than just a book—it's a strategic tool for embedding security into the organizational culture and aligning security with value-driven FinOps principles.\u003c\/p\u003e \u003cp\u003eLike Tanya's other books, this drives transformation, enabling teams to move from reactive to proactive security. It underscores a critical truth: the earlier vulnerabilities are identified and fixed in the development lifecycle, the cheaper and more efficient it is to address them, saving time, conserving resources, and significantly reducing risk.\u003c\/p\u003e \u003cp\u003eThis proactive approach not only mitigates threats but also significantly increases asset value. After all, secure and reliable code is the foundation for every stable system.\"\u003cbr\u003e—\u003cb\u003eRAJAT RAVINDER VARUNI, CISO, SuccessKPI\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003e\"Tanya Janca's \u003ci\u003eAlice and Bob Learn Secure Coding\u003c\/i\u003e is an absolute triumph of technical writing. Building on the charm and accessibility of her first book, Tanya dives deeper into the world of secure coding, tackling one of the most pressing challenges in software development today. What sets this book apart is Tanya's ability to balance technical depth with an engaging and light-hearted tone, making complex concepts approachable for readers across all skill levels.\u003c\/p\u003e \u003cp\u003eThis book is packed with actionable insights, from detailed explanations of common vulnerabilities to practical strategies for avoiding them. Yet, it never feels overwhelming. Tanya's narrative style—peppered with humor and real-world analogies—keeps the subject matter fresh and enjoyable. It's rare to find a technical book that's as fun to read as informative, but Tanya achieves this effortlessly.\u003c\/p\u003e \u003cp\u003eFor seasoned professionals, \u003ci\u003eAlice and Bob Learn Secure Coding\u003c\/i\u003e offers a comprehensive refresher and new perspectives on evolving threats and solutions. For newcomers, it's a masterclass in the fundamentals of secure coding, presented in a way that's both digestible and inspiring. The book's structure ensures readers can easily navigate and revisit topics as needed, making it a valuable reference for years.\u003c\/p\u003e \u003cp\u003eIn short, this is a must-read for anyone who writes code or works in application security. Tanya Janca has once again proven why she's at the forefront of the industry. \u003ci\u003eAlice and Bob Learn Secure Coding\u003c\/i\u003e is not just a book—it's an investment in better, safer software for everyone.\"\u003cbr\u003e—\u003cb\u003eFRANCESCO CIPOLLONE, CEO \u0026amp; Founder @ Phoenix Security\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003e\"Tanya Janca has written a second book in her poignant and informative \u003ci\u003eAlice and Bob\u003c\/i\u003e series. This time the dynamic duo is learning secure coding. And like its predecessor, there is much wisdom to glean and stuff to learn from her years of experience.\u003c\/p\u003e \u003cp\u003eThis is not the kind of book that you start at the first chapter and read it all the way through. You are going to want to use it as a study guide, to fill in the gaps in your knowledge about secure coding practice and methods. Like her earlier book, she won't divulge much about specific vendor tools, but something more important: how to use the application development platforms and tools to make you a better programmer and one that can identify and fix coding errors before some hacker takes advantage of your mistakes and messes up your workday by compromising your systems and stealing your data.\u003c\/p\u003e \u003cp\u003eEach chapter ends with a series of exercises to test your retention of what she explains and highlights some common misconceptions of the content. Some of them reflect her wicked sense of humor — such as 'how often should you authenticate to an SSO — only once, unless you have done a really bad job!'\u003c\/p\u003e \u003cp\u003eAnd each section has an end-of-section summary about best practices. If many of them are unfamiliar to you, then take the time to read those chapters and take careful notes about how you can implement her suggestions. Indeed, a good way to browse this book is to carefully read these summaries and see if you need to bone on these techniques.\u003c\/p\u003e \u003cp\u003eLike the first book in this series, I highly recommend this one for both beginners and experienced coders alike.\"\u003cbr\u003e—\u003cb\u003eDAVID STROM, freelance writer and author of two computer books thousands of magazine articles about technology\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003e\"Tanya ensures the book delivers exceptional value for software developers across experience levels, from students to seasoned engineers. Its methodical approach to secure coding fundamentals, combined with language-specific implementations, makes it particularly valuable for:\u003c\/p\u003e \u003cul\u003e \u003cli\u003eEarly-career developers building security-first practices\u003c\/li\u003e \u003cli\u003eExperienced engineers transitioning to security-focused roles\u003c\/li\u003e \u003cli\u003eTechnical leads implementing secure development practices across teams\u003c\/li\u003e \u003c\/ul\u003e \u003cp\u003eThe book's greatest strength lies in bridging theoretical security concepts with practical development scenarios. While more comprehensive code examples would enhance its utility, the current content provides a solid foundation for secure coding practices. Highly recommended for software engineering teams and computer science programs looking to establish robust security mindsets.\"\u003cbr\u003e—\u003cb\u003eNIELET D'MELLO, Security Engineer\u003cbr\u003e\u003cbr\u003e\u003c\/b\u003e\"Tanya's \u003ci\u003eAlice and Bob Learn Secure Coding\u003c\/i\u003e will give you a head start on learning about secure coding practices. It covers all the fundamentals a developer needs to know. Practicing the information in this book will allow you to start developing the experience needed to become a secure coder. I go over all this stuff with my devs.\"\u003cbr\u003e—\u003cb\u003eRAY LEBLANC, Application Security Architect \u0026amp; Engineer\u003c\/b\u003e\u003c\/p\u003e\u003c\/em\u003e\u003c\/p\u003e\r\n\r\n\r\n\u003cp\u003e\u003cfont size=\"4\"\u003eTanya Janca (Author)\u003c\/font\u003e\u003c\/p\u003e\r\n\r\n\u003cp\u003e\u003cfont size=\"3\"\u003e9781394171705, Wiley\u003c\/font\u003e\u003c\/p\u003e\r\n\r\n\u003cp\u003e\u003cfont size=\"3\"\u003ePaperback \/ softback, published 13 February 2025\u003c\/font\u003e\u003c\/p\u003e\r\n\r\n\u003cp\u003e\u003cfont size=\"3\"\u003e416 pages\u003cbr\u003e22.9 x 18 x 1.5 cm, 0.59 kg\u003c\/font\u003e\u003c\/p\u003e\r\n\r\n\r\n\r\n\r\n\r\n\u003cp align=\"justify\"\u003e\u003cstrong\u003e\u003cfont size=\"3\"\u003e\u003cp\u003e\u003cb\u003eUnlock the power of secure coding with this straightforward and approachable guide!\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eDiscover a game-changing resource that caters to developers of all levels with \u003ci\u003eAlice and Bob Learn Secure Coding\u003c\/i\u003e. With a refreshing approach, the book offers analogies, stories of the characters Alice and Bob, real-life examples, technical explanations and diagrams to break down intricate security concepts into digestible insights that you can apply right away. Explore secure coding in popular languages like Python, Java, JavaScript, and more, while gaining expertise in safeguarding frameworks such as Angular, .Net, and React. Uncover the secrets to combatting vulnerabilities by securing your code from the ground up!\u003c\/p\u003e \u003cp\u003eTopics include:\u003c\/p\u003e \u003cul\u003e \u003cli\u003eSecure coding in Python, Java, Javascript, C\/C++, SQL, C#, PHP, and more\u003c\/li\u003e \u003cli\u003eSecurity for popular frameworks, including Angular, Express, React, .Net, and Spring\u003c\/li\u003e \u003cli\u003eSecurity Best Practices for APIs, Mobile, Web Sockets, Serverless, IOT, and Service Mesh\u003c\/li\u003e \u003cli\u003eMajor vulnerability categories, how they happen, the risks, and how to avoid them\u003c\/li\u003e \u003cli\u003eThe Secure System Development Life Cycle, in depth\u003c\/li\u003e \u003cli\u003eThreat modeling, testing, and code review\u003c\/li\u003e \u003cli\u003eThe agnostic fundamentals of creating secure code that apply to any language or framework\u003c\/li\u003e \u003c\/ul\u003e \u003cp\u003e\u003cbr\u003e \u003ci\u003eAlice and Bob Learn Secure Coding \u003c\/i\u003eis designed for a diverse audience, including software developers of all levels, budding security engineers, software architects, and application security professionals. Immerse yourself in practical examples and concrete applications that will deepen your understanding and retention of critical security principles.\u003c\/p\u003e \u003cp\u003e\u003ci\u003eAlice and Bob Learn Secure Coding \u003c\/i\u003eillustrates all the included concepts with easy-to-understand examples and concrete practical applications, furthering the reader’s ability to grasp and retain the foundational and advanced topics contained within. Don't miss this opportunity to strengthen your knowledge; let Alice and Bob guide you to a secure and successful coding future.\u003c\/p\u003e\u003c\/font\u003e\u003c\/strong\u003e\u003c\/p\u003e\r\n\r\n\u003cp\u003e\u003cfont size=\"3\"\u003e\u003cp\u003eForeword xxvii \u003c\/p\u003e \u003cp\u003eIntroduction xxix \u003c\/p\u003e \u003cp\u003e\u003cb\u003ePart I General Advice 1\u003c\/b\u003e \u003c\/p\u003e \u003cp\u003e\u003cb\u003eChapter 1 Introductory Security Fundamentals 3\u003c\/b\u003e \u003c\/p\u003e \u003cp\u003eAssume All Other Systems and Data Are Insecure 3 \u003c\/p\u003e \u003cp\u003eThe CIA Triad 4 \u003c\/p\u003e \u003cp\u003eLeast Privilege 6 \u003c\/p\u003e \u003cp\u003eSecure Defaults\/Paved Roads 8 \u003c\/p\u003e \u003cp\u003eAssume Breach \/ Plan For Failure 9 \u003c\/p\u003e \u003cp\u003eZero Trust 9 \u003c\/p\u003e \u003cp\u003eDefense in Depth 10 \u003c\/p\u003e \u003cp\u003eSupply Chain Security 10 \u003c\/p\u003e \u003cp\u003eSecurity by Obscurity 11 \u003c\/p\u003e \u003cp\u003eAttack Surface Reduction 11 \u003c\/p\u003e \u003cp\u003eUsable Security 12 \u003c\/p\u003e \u003cp\u003eFail Closed\/Safe, Then Roll Back 12 \u003c\/p\u003e \u003cp\u003eCompliance, Laws, and Regulations 12 \u003c\/p\u003e \u003cp\u003eSecurity Frameworks 14 \u003c\/p\u003e \u003cp\u003eLearning from Mistakes and Sharing Those Lessons 16 \u003c\/p\u003e \u003cp\u003eBackward Compatibility (and Potential Risks It Introduces) 16 \u003c\/p\u003e \u003cp\u003eThreat Modeling 16 \u003c\/p\u003e \u003cp\u003eThe Difficulty of Patching 17 \u003c\/p\u003e \u003cp\u003eRetesting Fixes for New Security Bugs 18 \u003c\/p\u003e \u003cp\u003eChapter Exercises 19 \u003c\/p\u003e \u003cp\u003e\u003cb\u003eChapter 2 Beginning 21\u003c\/b\u003e \u003c\/p\u003e \u003cp\u003eFollow a Secure System Development Life Cycle 21 \u003c\/p\u003e \u003cp\u003eUse a Modern Framework and All Available Security Features Within 22 \u003c\/p\u003e \u003cp\u003eInput Validation 23 \u003c\/p\u003e \u003cp\u003eOutput Encoding 26 \u003c\/p\u003e \u003cp\u003eExamples of Output Encoding 27 \u003c\/p\u003e \u003cp\u003eHTML Context 28 \u003c\/p\u003e \u003cp\u003eJavaScript Context 28 \u003c\/p\u003e \u003cp\u003eParameterized Queries and ORMs 29 \u003c\/p\u003e \u003cp\u003eAuthentication and Identity 31 \u003c\/p\u003e \u003cp\u003eAuthorization and Access Control 32 \u003c\/p\u003e \u003cp\u003eAccess Control Models 33 \u003c\/p\u003e \u003cp\u003eLogical Access Control Methods (Implementation) 34 \u003c\/p\u003e \u003cp\u003eSession Management 34 \u003c\/p\u003e \u003cp\u003eSecret Management 35  \u003c\/p\u003e \u003cp\u003ePassword Management 37 \u003c\/p\u003e \u003cp\u003eCommunication Security (Cryptography and HTTPS Only) 39 \u003c\/p\u003e \u003cp\u003eProtecting Sensitive Data 40 \u003c\/p\u003e \u003cp\u003eSecurity Headers 43 \u003c\/p\u003e \u003cp\u003eNew Security Header Features 43 \u003c\/p\u003e \u003cp\u003eFetch Metadata Request Headers 43 \u003c\/p\u003e \u003cp\u003eContent Security Policy Header 44 \u003c\/p\u003e \u003cp\u003eStrict-Dynamic 44 \u003c\/p\u003e \u003cp\u003eTrusted-Types 44 \u003c\/p\u003e \u003cp\u003eSecurity Headers Previously Covered 44 \u003c\/p\u003e \u003cp\u003eContent-Security-Policy Header 45 \u003c\/p\u003e \u003cp\u003eHTTP Strict-Transport-Security 45 \u003c\/p\u003e \u003cp\u003eX-Frame-Options 45 \u003c\/p\u003e \u003cp\u003eX-Content-Type-Options 45 \u003c\/p\u003e \u003cp\u003ePermissions Policy 46 \u003c\/p\u003e \u003cp\u003eExpect-CT 46 \u003c\/p\u003e \u003cp\u003eReferrer-Policy 46 \u003c\/p\u003e \u003cp\u003ePublic Key Pinning Extension for HTTP (HPKP) 46 \u003c\/p\u003e \u003cp\u003eX-XSS-Protection 46 \u003c\/p\u003e \u003cp\u003eMore New Headers 46 \u003c\/p\u003e \u003cp\u003eSame-Origin Policy 47 \u003c\/p\u003e \u003cp\u003eCOEP: Cross-Origin Embedder Policy 47 \u003c\/p\u003e \u003cp\u003eCOOP: Cross-Origin Opener Policy 48 \u003c\/p\u003e \u003cp\u003eCORP: Cross-Origin Resource Policy 48 \u003c\/p\u003e \u003cp\u003eCORS: Cross-Origin Resource Sharing 48 \u003c\/p\u003e \u003cp\u003eCORB: Cross-Origin Read Blocking 49 \u003c\/p\u003e \u003cp\u003eSecure Cookies 50 \u003c\/p\u003e \u003cp\u003eError Handling 51 \u003c\/p\u003e \u003cp\u003eChapter Exercises 52 \u003c\/p\u003e \u003cp\u003e\u003cb\u003eChapter 3 Improving 55\u003c\/b\u003e \u003c\/p\u003e \u003cp\u003eDatabase Security 56 \u003c\/p\u003e \u003cp\u003eFour Perspectives for Protecting Databases 56 \u003c\/p\u003e \u003cp\u003eFile Management 59 \u003c\/p\u003e \u003cp\u003eFile Uploads 61 \u003c\/p\u003e \u003cp\u003eYour Source Code 62 \u003c\/p\u003e \u003cp\u003eMemory Management (Buffer, Stack, String, and Integer Overflows) 63 \u003c\/p\u003e \u003cp\u003eHow Do We Avoid Overflows? 64 \u003c\/p\u003e \u003cp\u003e(De)Serialization 66 \u003c\/p\u003e \u003cp\u003ePrivacy (User\/Citizen\/Customer\/Employee) 67 \u003c\/p\u003e \u003cp\u003eErrors 69 \u003c\/p\u003e \u003cp\u003eLogging, Monitoring, and Alerting 72 \u003c\/p\u003e \u003cp\u003eFail Closed 73 \u003c\/p\u003e \u003cp\u003eLocking Resources 73 \u003c\/p\u003e \u003cp\u003eEnabling Password Managers 74 \u003c\/p\u003e \u003cp\u003eCryptographic Practices 75 \u003c\/p\u003e \u003cp\u003eStrongly Typed Languages 76 \u003c\/p\u003e \u003cp\u003eStrongly Typed Languages 76 \u003c\/p\u003e \u003cp\u003eWeakly Typed Programming Languages 77 \u003c\/p\u003e \u003cp\u003eDomain-Driven Development 78 \u003c\/p\u003e \u003cp\u003eMemory-Safe Languages 79 \u003c\/p\u003e \u003cp\u003eChapter Exercises 80 \u003c\/p\u003e \u003cp\u003e\u003cb\u003eChapter 4 Achieving 81\u003c\/b\u003e \u003c\/p\u003e \u003cp\u003eSecure Design 82 \u003c\/p\u003e \u003cp\u003eHow much is “enough” (design) security? 84 \u003c\/p\u003e \u003cp\u003eDependency Management and Supply Chain Security 85 \u003c\/p\u003e \u003cp\u003eDependency Security 86 \u003c\/p\u003e \u003cp\u003eChecking If Dependencies Are Safe to Use 87 \u003c\/p\u003e \u003cp\u003eSupply Chain Security 87 \u003c\/p\u003e \u003cp\u003eSecure Defaults 90 \u003c\/p\u003e \u003cp\u003eSecure Defaults for Users 90 \u003c\/p\u003e \u003cp\u003eSecure Defaults for Developers 92 \u003c\/p\u003e \u003cp\u003eReadable and Auditable Code 93 \u003c\/p\u003e \u003cp\u003eImportant Functions Happen on Trusted Systems 96 \u003c\/p\u003e \u003cp\u003eWhat Is an “Untrusted” System? 96 \u003c\/p\u003e \u003cp\u003eWhat Are “Important Functions”? 97 \u003c\/p\u003e \u003cp\u003ePutting It Together 97 \u003c\/p\u003e \u003cp\u003eAllowlists versus Blocklists 97 \u003c\/p\u003e \u003cp\u003eWhy Are Block Lists Bad? 98 \u003c\/p\u003e \u003cp\u003eHow Do We Create an Allowlist? 98 \u003c\/p\u003e \u003cp\u003eSecure Configurations 99 \u003c\/p\u003e \u003cp\u003eHostname Validation 100 \u003c\/p\u003e \u003cp\u003eReusable Code 100 \u003c\/p\u003e \u003cp\u003eSafe System Calls 102 \u003c\/p\u003e \u003cp\u003eMitigating Circumstances 102 \u003c\/p\u003e \u003cp\u003eCommenting and Other Documentation 102 \u003c\/p\u003e \u003cp\u003eComments 103 \u003c\/p\u003e \u003cp\u003eDocumentation 104 \u003c\/p\u003e \u003cp\u003eVerification of User Consent 106 \u003c\/p\u003e \u003cp\u003eIntegrity Checks, Code Signing, and Immutable Builds 107 \u003c\/p\u003e \u003cp\u003eImmutable Builds 108 \u003c\/p\u003e \u003cp\u003eAvoiding Brute Force 109 \u003c\/p\u003e \u003cp\u003eSecurity Controls 110 \u003c\/p\u003e \u003cp\u003eHandling Elevated Privileges 111 \u003c\/p\u003e \u003cp\u003eSecurity Maintenance 112 \u003c\/p\u003e \u003cp\u003eRepaying Technical Debt 113 \u003c\/p\u003e \u003cp\u003eChapter Exercises 114 \u003c\/p\u003e \u003cp\u003eSummary of Part I 117 \u003c\/p\u003e \u003cp\u003eChecklist of General Secure Coding Advice 117 \u003c\/p\u003e \u003cp\u003e\u003cb\u003ePart II Specific Advice 125\u003c\/b\u003e \u003c\/p\u003e \u003cp\u003e\u003cb\u003eChapter 5 Technology-Specific 127\u003c\/b\u003e \u003c\/p\u003e \u003cp\u003eAPI Security Best Practices 127 \u003c\/p\u003e \u003cp\u003eMobile Application Security Best Practices 134 \u003c\/p\u003e \u003cp\u003eWebSocket Security Best Practices 137 \u003c\/p\u003e \u003cp\u003eServerless Security Best Practices 138 \u003c\/p\u003e \u003cp\u003eIoT Security Best Practices 140 \u003c\/p\u003e \u003cp\u003eChapter Exercises 141 \u003c\/p\u003e \u003cp\u003e\u003cb\u003eChapter 6 Popular Programming Languages 143\u003c\/b\u003e \u003c\/p\u003e \u003cp\u003eJavaScript 143 \u003c\/p\u003e \u003cp\u003eHtml\/css 148 \u003c\/p\u003e \u003cp\u003eHTML5, Specifically 149 \u003c\/p\u003e \u003cp\u003ePython 151 \u003c\/p\u003e \u003cp\u003eSql 154 \u003c\/p\u003e \u003cp\u003eNode.js 157 \u003c\/p\u003e \u003cp\u003eJava 160 \u003c\/p\u003e \u003cp\u003eSerialization in Java 164 \u003c\/p\u003e \u003cp\u003eTypeScript 165 \u003c\/p\u003e \u003cp\u003eC# 166 \u003c\/p\u003e \u003cp\u003ePhp 170 \u003c\/p\u003e \u003cp\u003eC\/c++ 175 \u003c\/p\u003e \u003cp\u003eConclusion 178 \u003c\/p\u003e \u003cp\u003eChapter Exercises 179 \u003c\/p\u003e \u003cp\u003e\u003cb\u003eChapter 7 Popular Frameworks 181\u003c\/b\u003e \u003c\/p\u003e \u003cp\u003eWeb and JavaScript 181 \u003c\/p\u003e \u003cp\u003eExpress 182 \u003c\/p\u003e \u003cp\u003eReact.js 184 \u003c\/p\u003e \u003cp\u003eAngular 186 \u003c\/p\u003e \u003cp\u003ejQuery 190 \u003c\/p\u003e \u003cp\u003eVue.js 192 \u003c\/p\u003e \u003cp\u003eOther Frameworks and Libraries 194 \u003c\/p\u003e \u003cp\u003e.NET (Core) 194 \u003c\/p\u003e \u003cp\u003eRuby on Rails 199 \u003c\/p\u003e \u003cp\u003eSpring and Spring Boot 204 \u003c\/p\u003e \u003cp\u003eFlask 207 \u003c\/p\u003e \u003cp\u003eChapter Exercises 210 \u003c\/p\u003e \u003cp\u003e\u003cb\u003eChapter 8 Vulnerability Categories 211\u003c\/b\u003e \u003c\/p\u003e \u003cp\u003eDesign Flaws \/ Logic Flaws 212 \u003c\/p\u003e \u003cp\u003eHow Does This Happen? 213 \u003c\/p\u003e \u003cp\u003eThe Risk 213 \u003c\/p\u003e \u003cp\u003ePrevention 214 \u003c\/p\u003e \u003cp\u003eCode Bugs \/ Implementation Errors 215 \u003c\/p\u003e \u003cp\u003eHow Does This Happen? 215 \u003c\/p\u003e \u003cp\u003eThe Risk 215 \u003c\/p\u003e \u003cp\u003ePrevention 215 \u003c\/p\u003e \u003cp\u003eOverflows and Other Memory Issues 216 \u003c\/p\u003e \u003cp\u003eOverflows 216 \u003c\/p\u003e \u003cp\u003eBuffer Overreads 217 \u003c\/p\u003e \u003cp\u003eInvalid Page Faults 217 \u003c\/p\u003e \u003cp\u003eUse After Free 218 \u003c\/p\u003e \u003cp\u003eUninitialized Variables 218 \u003c\/p\u003e \u003cp\u003eMemory Leaks 218 \u003c\/p\u003e \u003cp\u003eHow Does This Happen? 219 \u003c\/p\u003e \u003cp\u003eThe Risk 219 \u003c\/p\u003e \u003cp\u003ePrevention 219 \u003c\/p\u003e \u003cp\u003eInjection: Interpreter and Compiler Issues 220 \u003c\/p\u003e \u003cp\u003eHow Does This Happen? 221 \u003c\/p\u003e \u003cp\u003eThe Risk 221 \u003c\/p\u003e \u003cp\u003ePrevention 221 \u003c\/p\u003e \u003cp\u003eInput Issues 222 \u003c\/p\u003e \u003cp\u003eHow Does This Happen? 223 \u003c\/p\u003e \u003cp\u003eThe Risk 223 \u003c\/p\u003e \u003cp\u003ePrevention 223 \u003c\/p\u003e \u003cp\u003eAuthentication and Identity Issues 223 \u003c\/p\u003e \u003cp\u003eHow Does This Happen? 224 \u003c\/p\u003e \u003cp\u003eThe Risk 224 \u003c\/p\u003e \u003cp\u003ePrevention 224 \u003c\/p\u003e \u003cp\u003eAuthorization and Access Issues 225 \u003c\/p\u003e \u003cp\u003eHow Does This Happen? 225 \u003c\/p\u003e \u003cp\u003eConfiguration and Implementation Issues 225 \u003c\/p\u003e \u003cp\u003eHow Does This Happen? 226 \u003c\/p\u003e \u003cp\u003eThe Risk 226 \u003c\/p\u003e \u003cp\u003ePrevention 226 \u003c\/p\u003e \u003cp\u003eFraudulent Transactions 227 \u003c\/p\u003e \u003cp\u003eHow Does This Happen? 227 \u003c\/p\u003e \u003cp\u003eThe Risk 227 \u003c\/p\u003e \u003cp\u003ePrevention 228 \u003c\/p\u003e \u003cp\u003eReplay Attacks 228 \u003c\/p\u003e \u003cp\u003eHow Does This Happen? 228 \u003c\/p\u003e \u003cp\u003eThe Risk 229 \u003c\/p\u003e \u003cp\u003ePrevention 229 \u003c\/p\u003e \u003cp\u003eCrossing Trust Boundaries 229 \u003c\/p\u003e \u003cp\u003eHow Does This Happen? 230 \u003c\/p\u003e \u003cp\u003eThe Risk 230 \u003c\/p\u003e \u003cp\u003ePrevention 230 \u003c\/p\u003e \u003cp\u003eFile Handling Issues 230 \u003c\/p\u003e \u003cp\u003eHow Does This Happen? 231 \u003c\/p\u003e \u003cp\u003eThe Risk 231 \u003c\/p\u003e \u003cp\u003ePrevention 231 \u003c\/p\u003e \u003cp\u003eObject Handling Issues 232 \u003c\/p\u003e \u003cp\u003eProminent Features of OOP 232 \u003c\/p\u003e \u003cp\u003eDeserialization and Other Object Handling Issues 234 \u003c\/p\u003e \u003cp\u003eHow Does This Happen? 234 \u003c\/p\u003e \u003cp\u003eThe Risk 234 \u003c\/p\u003e \u003cp\u003ePrevention 234 \u003c\/p\u003e \u003cp\u003eSecrets Management Issues 235 \u003c\/p\u003e \u003cp\u003eHow Does This Happen? 236 \u003c\/p\u003e \u003cp\u003eThe Risk 236 \u003c\/p\u003e \u003cp\u003ePrevention 236 \u003c\/p\u003e \u003cp\u003eRace Conditions and Timing Issues 237 \u003c\/p\u003e \u003cp\u003eHow Does This Happen? 237 \u003c\/p\u003e \u003cp\u003eThe Risk 238 \u003c\/p\u003e \u003cp\u003ePrevention 238 \u003c\/p\u003e \u003cp\u003eResource Issues 240 \u003c\/p\u003e \u003cp\u003eHow Does This Happen? 240 \u003c\/p\u003e \u003cp\u003eThe Risk 241 \u003c\/p\u003e \u003cp\u003ePrevention 241 \u003c\/p\u003e \u003cp\u003eFalling into an Unknown State 241 \u003c\/p\u003e \u003cp\u003eHow Does This Happen? 242 \u003c\/p\u003e \u003cp\u003eThe Risk 242 \u003c\/p\u003e \u003cp\u003ePrevention 242 \u003c\/p\u003e \u003cp\u003eChapter Exercises 243 \u003c\/p\u003e \u003cp\u003eSummary of Part II 245 \u003c\/p\u003e \u003cp\u003eChecklist of Technology-Specific Secure Coding Advice 245 \u003c\/p\u003e \u003cp\u003eChecklist of Secure Coding Advice for Languages and Frameworks 246 \u003c\/p\u003e \u003cp\u003eSummary of Vulnerability Issues to Watch For 248 \u003c\/p\u003e \u003cp\u003e\u003cb\u003ePart III Secure System Development Life Cycle 251\u003c\/b\u003e \u003c\/p\u003e \u003cp\u003e\u003cb\u003eChapter 9 Requirements 253\u003c\/b\u003e \u003c\/p\u003e \u003cp\u003eProject Kick-Off: Outline of Your Project’s Security Activities 253 \u003c\/p\u003e \u003cp\u003eProject Scheduling and Planning 254  \u003c\/p\u003e \u003cp\u003eSecurity Requirements 255 \u003c\/p\u003e \u003cp\u003eChapter Exercises 257 \u003c\/p\u003e \u003cp\u003e\u003cb\u003eChapter 10 Design 259\u003c\/b\u003e \u003c\/p\u003e \u003cp\u003eThreat Modeling 260 \u003c\/p\u003e \u003cp\u003eSecure Design Patterns and Concepts 262 \u003c\/p\u003e \u003cp\u003eArchitecture Whiteboarding 263 \u003c\/p\u003e \u003cp\u003eExamining Data Flows 263 \u003c\/p\u003e \u003cp\u003eSecurity User Stories 264 \u003c\/p\u003e \u003cp\u003eChapter Exercises 265 \u003c\/p\u003e \u003cp\u003e\u003cb\u003eChapter 11 Coding 267\u003c\/b\u003e \u003c\/p\u003e \u003cp\u003eTraining 267 \u003c\/p\u003e \u003cp\u003eOrganizations 269 \u003c\/p\u003e \u003cp\u003eIndividuals 270 \u003c\/p\u003e \u003cp\u003eCode Review 270 \u003c\/p\u003e \u003cp\u003eFirst- and Second-Generation Static Analysis Tools 271 \u003c\/p\u003e \u003cp\u003eSecure Guardrails 272 \u003c\/p\u003e \u003cp\u003eIDE Plugins and Other Guidance 273 \u003c\/p\u003e \u003cp\u003eVerifying That Your Dependencies Are Safe (SCA) 274 \u003c\/p\u003e \u003cp\u003eHow Do You Decide Which Dependencies Are Worth Updating or Changing? 274 \u003c\/p\u003e \u003cp\u003eFinding and Managing Secrets 275 \u003c\/p\u003e \u003cp\u003eDynamic Testing (DAST) 276 \u003c\/p\u003e \u003cp\u003eChapter Exercises 278 \u003c\/p\u003e \u003cp\u003e\u003cb\u003eChapter 12 Testing 279\u003c\/b\u003e \u003c\/p\u003e \u003cp\u003eTest Coverage and Timing 280 \u003c\/p\u003e \u003cp\u003eDepth Versus Coverage 281 \u003c\/p\u003e \u003cp\u003eScanning Your Infrastructure 281 \u003c\/p\u003e \u003cp\u003eProduction or Lower-Level Environments 281 \u003c\/p\u003e \u003cp\u003eScoping 282 \u003c\/p\u003e \u003cp\u003eTiming 282 \u003c\/p\u003e \u003cp\u003eManual Testing 284 \u003c\/p\u003e \u003cp\u003eAutomated Testing 286 \u003c\/p\u003e \u003cp\u003eFuzzing 287 \u003c\/p\u003e \u003cp\u003eInteractive Application Security Testing (IAST) 288 \u003c\/p\u003e \u003cp\u003eBug Bounty Programs 289 \u003c\/p\u003e \u003cp\u003eTest Results 290 \u003c\/p\u003e \u003cp\u003eActioning Test Results 291 \u003c\/p\u003e \u003cp\u003eFinal Thoughts 293 \u003c\/p\u003e \u003cp\u003eChapter Exercises 293 \u003c\/p\u003e \u003cp\u003e\u003cb\u003eChapter 13 Release\/Deployment 295\u003c\/b\u003e \u003c\/p\u003e \u003cp\u003eSecurity Events Within the CI\/CD 296 \u003c\/p\u003e \u003cp\u003eBreaking the Build 297 \u003c\/p\u003e \u003cp\u003eSecret Scanning 298 \u003c\/p\u003e \u003cp\u003eStatic Analysis 298 \u003c\/p\u003e \u003cp\u003eDynamic Analysis 298 \u003c\/p\u003e \u003cp\u003eSoftware Composition Analysis 299 \u003c\/p\u003e \u003cp\u003eLinting 299 \u003c\/p\u003e \u003cp\u003eInfrastructure as Code scanners 299 \u003c\/p\u003e \u003cp\u003eSecuring the CI\/CD Pipeline Itself 299 \u003c\/p\u003e \u003cp\u003eAssuring the Integrity of Your Release 302 \u003c\/p\u003e \u003cp\u003eSecurity Release Approval 303 \u003c\/p\u003e \u003cp\u003eChapter Exercises 304 \u003c\/p\u003e \u003cp\u003e\u003cb\u003eChapter 14 Maintenance 305\u003c\/b\u003e \u003c\/p\u003e \u003cp\u003eMonitoring, Alerting, and Observability 306 \u003c\/p\u003e \u003cp\u003eBlocking\/Shielding 308 \u003c\/p\u003e \u003cp\u003eWeb Application Firewalls (WAFs) 309 \u003c\/p\u003e \u003cp\u003eContent Delivery Networks (CDNs) 309 \u003c\/p\u003e \u003cp\u003eRuntime Application Self-Protection (RASP) 310 \u003c\/p\u003e \u003cp\u003eVirtual Patching 310 \u003c\/p\u003e \u003cp\u003eAPI Gateways 310 \u003c\/p\u003e \u003cp\u003eA Special Note for Data Scientists 311 \u003c\/p\u003e \u003cp\u003eContinuous Testing 312 \u003c\/p\u003e \u003cp\u003eSecurity Incidents 313 \u003c\/p\u003e \u003cp\u003eBusiness Continuity and Disaster Recovery Planning 315 \u003c\/p\u003e \u003cp\u003eChapter Exercises 317 \u003c\/p\u003e \u003cp\u003e\u003cb\u003eChapter 15 Conclusion 319\u003c\/b\u003e \u003c\/p\u003e \u003cp\u003eGood Habits 319 \u003c\/p\u003e \u003cp\u003eYour Responsibility 322 \u003c\/p\u003e \u003cp\u003eHow Much Is Enough? 323 \u003c\/p\u003e \u003cp\u003eUsing Artificial Intelligence Safely 325 \u003c\/p\u003e \u003cp\u003eContinuous Learning 327 \u003c\/p\u003e \u003cp\u003eBecoming a Champion 328 \u003c\/p\u003e \u003cp\u003eGetting Others on Board 330 \u003c\/p\u003e \u003cp\u003eTransitioning onto the Security Team 330 \u003c\/p\u003e \u003cp\u003eApplying for Security Jobs Outside of Your Organization 331 \u003c\/p\u003e \u003cp\u003eConclusion 335 \u003c\/p\u003e \u003cp\u003eSummary of Part III 339 \u003c\/p\u003e \u003cp\u003eChecklist of Security Activities for Each Phase of the SDLC 339 \u003c\/p\u003e \u003cp\u003e\u003cb\u003eAppendix A Resources 343\u003c\/b\u003e \u003c\/p\u003e \u003cp\u003eChapter 1: Introductory Security Fundamentals 343 \u003c\/p\u003e \u003cp\u003eChapter 2: Beginning 344 \u003c\/p\u003e \u003cp\u003eChapter 3: Improving 345 \u003c\/p\u003e \u003cp\u003eChapter 4: Achieving 347 \u003c\/p\u003e \u003cp\u003eChapter 5: Technology-Specific 349 \u003c\/p\u003e \u003cp\u003eChapter 6: Popular Programming Languages 351 \u003c\/p\u003e \u003cp\u003eChapter 7: Popular Frameworks 355 \u003c\/p\u003e \u003cp\u003eChapter 8: Vulnerability Categories 357 \u003c\/p\u003e \u003cp\u003eChapter 10: Design 359 \u003c\/p\u003e \u003cp\u003eChapter 11: Coding 359 \u003c\/p\u003e \u003cp\u003eChapter 12: Testing 359 \u003c\/p\u003e \u003cp\u003eChapter 13: Release\/Deployment 360 \u003c\/p\u003e \u003cp\u003eChapter 14: Maintenance 360 \u003c\/p\u003e \u003cp\u003e\u003cb\u003eAppendix B Answer Keys 361\u003c\/b\u003e \u003c\/p\u003e \u003cp\u003eChapter 1: Introductory Security Fundamentals 361 \u003c\/p\u003e \u003cp\u003eChapter 2: Beginning 363 \u003c\/p\u003e \u003cp\u003eChapter 3: Improving 364 \u003c\/p\u003e \u003cp\u003eChapter 4: Achieving 365 \u003c\/p\u003e \u003cp\u003eChapter 5: Technology-Specific 368 \u003c\/p\u003e \u003cp\u003eChapter 8: Vulnerability Categories 370 \u003c\/p\u003e \u003cp\u003eChapter 9: Requirements 371 \u003c\/p\u003e \u003cp\u003eChapter 11: Coding 372 \u003c\/p\u003e \u003cp\u003eChapter 12: Testing 373 \u003c\/p\u003e \u003cp\u003eChapter 13: Release\/Deployment 374 \u003c\/p\u003e \u003cp\u003eChapter 14: Maintenance 375 \u003c\/p\u003e \u003cp\u003eIndex 377\u003c\/p\u003e\u003c\/font\u003e\u003c\/p\u003e\r\n\r\n\u003cp\u003e\u003cfont size=\"3\"\u003eSubject Areas: Computer science [\u003ca title=\"See our other books on Computer science\" href=\"https:\/\/freshlyprintedbooks.co.uk\/search?q=%22Computer%20science%20%5BUY%5D%22\"\u003eUY\u003c\/a\u003e]\u003c\/font\u003e\u003c\/p\u003e\r\n\r\n\r\n\u003c\/font\u003e","brand":"Wiley","offers":[{"title":"Brand New","offer_id":52165307138328,"sku":"9781394171705","price":25.65,"currency_code":"GBP","in_stock":true}],"thumbnail_url":"\/\/cdn.shopify.com\/s\/files\/1\/0730\/2037\/5320\/files\/9781394171705.jpg?v=1781098164","url":"https:\/\/freshlyprintedbooks.co.uk\/products\/alice-and-bob-learn-secure-coding-paperback-softback-9781394171705","provider":"Freshly Printed Books","version":"1.0","type":"link"}