Web Application Security, A Beginner's Guide
Bryan Sullivan, Vincent Liu
Format: PDF / Kindle (mobi) / ePub
Security Smarts for the Self-Guided IT Professional
“Get to know the hackers―or plan on getting hacked. Sullivan and Liu have created a savvy, essentials-based approach to web app security packed with immediately applicable tools for any information security practitioner sharpening his or her tools or just starting out.” ―Ryan McGeehan, Security Manager, Facebook, Inc.
Secure web applications from today's most devious hackers. Web Application Security: A Beginner's Guide helps you stock your security toolkit, prevent common hacks, and defend quickly against malicious attacks.
This practical resource includes chapters on authentication, authorization, and session management, along with browser, database, and file security--all supported by true stories from industry. You'll also get best practices for vulnerability detection and secure development, as well as a chapter that covers essential security fundamentals. This book's templates, checklists, and examples are designed to help you get started right away.
Web Application Security: A Beginner's Guide features:
- Lingo--Common security terms defined so that you're in the know on the job
- IMHO--Frank and relevant opinions based on the authors' years of industry experience
- Budget Note--Tips for getting security technologies and processes into your organization's budget
- In Actual Practice--Exceptions to the rules of security explained in real-world contexts
- Your Plan--Customizable checklists you can use on the job now
- Into Action--Tips on how, why, and when to apply new skills and techniques at work
about them on the SDL home page at www.microsoft.com/sdl. OWASP Comprehensive Lightweight Application Security Process (CLASP) Another widely used secure development process is the OWASP Comprehensive Lightweight Application Security Process, or CLASP. CLASP was originally developed as a commercial methodology by the source code analysis company Secure Software, but was donated to OWASP in 2006 and made freely available. Like SDL, CLASP specifies development lifecycle activities for teams
finish the first sentence of the introduction. I’d like to thank my coauthor, Vinnie, for contributing a wealth of knowledge and experience on web application security. I had a lot of fun writing this book with you, and I’m glad you talked me into it. And speaking of a wealth of knowledge and experience, I’d also like to thank our technical editor, Michael Howard. Your hard work made this book not only a much better reference guide but a much better read as well. The editorial team at
different account or the ability to load kernel code. Such rules can typically be overridden by the owners of objects and resources. Mandatory Access Control (MAC) In MAC, access control is determined by the system, or by system administrators, rather than object owners. Some web applications use this model because of its stronger limits on what can potentially happen within the application, as well as the simplification of design and user interface that comes with not needing to provide users
contain authorization logic inasmuch as, during the process of breaking down an incoming request into a complex SQL join statement or what-have-you, the stored procedure can also make subqueries about the relationships among users, resources, and permissions. That is, before running that query to find all the managers who report under some vice president, the stored procedure can first figure out whether the user making the request is allowed to do so. So, application logic or database layer?
yourself, be cautious when using this. * * * So now that you know that session cookies survive even if the original tab or window is closed, you close all of your browser windows, quit the browser applications, and reboot your machine for good measure. There’s no way you could still be logged in to the bank now, right? If the bank used a session cookie to store the authentication token, then no, you won’t be logged in any more. But if the bank used a persistent cookie, then even after a