- ホーム
- > 洋書
- > 英文書
- > Computer / General
Full Description
Use the best practices taught in this book to defend your application against future attack patterns. You also will learn about other equally critical means of securing your application, including validation logic, threat modeling, authentication, authorization, and much more.This book covers the role that .NET developers play when it comes to security. You will learn about cryptography, but that is not the only tool at your disposal. After reading this book you will come away feeling empowered and confident when it comes to taking charge of the application security issues that are in your control.What You'll LearnUnderstand the key concepts of software-based security in the context of application developmentSee how to structure a distributed application inside and outside of the firewallExplore and recognize common attack vectorsGain a thorough understanding of validationsWork through various examples of software security with a sense of humor Embrace the power you have as a developerKnow the risks in order to ensure that development efforts work to mitigate the risksWho This Book Is For.NET developers, especially those who are developing applications that are visible on the Internet
Contents
Chapter 1, Secure Computing in an Insecure WorldThis chapter will introduce the concept of software based security and fit it in the context of the application developersSurvey of Various DangersUnderstanding the RisksNo Such Thing as "Secure" Our Goal is DefensibleSecurity is Everyone's Concern, Especially the DeveloperChapter 2: Overview of Common Attack VectorsIn this chapter we will discuss some of the top attack patterns that frequently plague web applicationParameter ManipulationVarious InjectionsSensitive Data Exposure(Other vectors)Chapter 3: Security PrinciplesIn this chapter we will give an overview of various guiding principles for secure programming. This chapter will include references to other chapters where these concepts are discussed in greater depth of real world examples are showcasedFail SecurelyPositive Security Model (White list)Negative Security Model (Black list)Minimize Attack SurfaceSeparation of DutiesAvoid Security Through ObscurityKeep Security SimpleDon't Trust ServicesDefense in DepthLeast PrivilegeEstablish Secure DefaultsChapter 4: Validations in PracticeBlessed are the Paranoid for they ValidateIn this chapter we will explore all things validationDon't Trust UsersDon't Trust Input Parameters from unknown sourcesDon't Trust Input Files you didn't writeDon't trust data even from your own databaseOverview of the Standard ValidatorsValidators are SQL Firewall RulesChapter 5: Application Topography for SecurityBlessed are the Lonely for they SeparateIn this chapter we discuss how to structure a distributed application paying attention to what goes inside and outside of the firewallDistributed Application creates a Larger Attack SurfaceSeparate the Database from the Application ServerProperly Handling Connection StringsWhat should stay outside the firewallWhat should stay inside the firewallHow do servers communicateChapter 6: Mitigating Risk by Minimizing PrivilegeBlessed are the Cautious for they Follow the Principle of Least PrivilegeIn this chapter we will introduce and explore the Principle of Least Privilege. We will see how this applies to the database specifically as well as to network resources in general.The Database has all the Keys to the KingdomSeparate Key Sensitive Data to a Separate DatabaseIsolate Key Sensitive in the Same Database with Separate LoginsSeparate Transaction Data from Reporting DataUnderstanding Access Control ListsChapter 7: Cryptography in PracticeBlessed are the Cryptic for Even Stolen Data is SecureIn this chapter we will discuss cryptography from an application perspective. We will review the common algorithms used, how they are executed, and we will discuss some best practices for using cryptography.Cryptography can be a Self-Imposed Denial of Service if used wrongSymmetric CryptographyAsymmetric CryptographyDigital SignaturesHashingChapter 8: Authentication and AuthorizationIn this chapter we will discuss all things related to Authentication and Authorization. This may be split into 2 chapters not sure yet.Password complexity policiesPassword resets2 Factor AuthenticationIdle TimeoutsLogging OutAuthorization MatrixAccess Control ListsProtected ResourcesStatic ResourcesReauthorizationJWT (JSON Web Tokens)Chapter 9: Securing Web Services In this chapter we will discuss web services, the roles they play in modern web applications and how to properly secure them.Chapter 10 Threat ModelingIn this chapter we will step through the Microsoft Threat Modeling Process. We will discuss the importance of modeling, review the individual steps, and discuss ways to incorporate this into your development lifecycleIdentify Security ObjectivesSurvey the ApplicationDecompose the ApplicationIdentify ThreatsSTRIDEDREADChapter 11 Best PracticesThis will be a wrap up chapter that will reiterate all the best practices identified though out the book. Best practices will be grouped by chapter giving the reader a quick link back to where the best practice was introduced so they can quickly get more context.
