Alice and Bob Learn Application Security. Tanya Janca

      1 IntroductionFigure I-1: System Development Life Cycle (SDLC)Figure I-2: Shifting/Pushing Left

      2 Chapter 1Figure 1-1: The CIA Triad is the reason IT Security teams exist.Figure 1-2: Confidentiality: keeping things safeFigure 1-3: Integrity means accuracy.Figure 1-4: Resilience improves availability.Figure 1-5: Three layers of security for an application; an example of defens...Figure 1-6: A possible supply chain for Bob’s doll houseFigure 1-7: Example of an application calling APIs and when to authenticate

      3 Chapter 2Figure 2-1: The System Development Life Cycle (SDLC)Figure 2-2: Data classifications Bob uses at workFigure 2-3: Forgotten password flowchartFigure 2-4: Illustration of a web proxy intercepting web traffic

      4 Chapter 3Figure 3-1: The System Development Life Cycle (SDLC)Figure 3-2: Flaws versus bugsFigure 3-3: Approximate cost to fix security bugs and flaws during the SDLCFigure 3-4: Pushing leftFigure 3-5: Using a web proxy to circumvent JavaScript validationFigure 3-6: Example of very basic attack tree for a run-tracking mobile app

      5 Chapter 4Figure 4-1: Input validation flowchart for untrusted dataFigure 4-2: Session management flow example

      6 Chapter 5Figure 5-1: CRSF flowchartFigure 5-2: SSRF flowchart

      7 Chapter 6Figure 6-1: Continuous Integration/Continuous Delivery (CI/CD)

      8 Chapter 7Figure 7-1: Security activities added to the SDLC

      9 Chapter 8Figure 8-1: Simplified microservice architectureFigure 8-2: Microservice architecture with API gatewayFigure 8-3: Infrastructure as Code workflowFigure 8-4: File integrity monitoring and application control tooling at work...

      1  Cover

      2 Table of Contents

      3  Begin Reading

      1  iii

      2  xxi

      3  xxii

      4