Skip to content
FREE SHIPPING ON ALL DOMESTIC ORDERS $35+
FREE SHIPPING ON ALL US ORDERS $35+
Application Security Program Handbook: A guide for software engineers and team leaders - Paperback | Diverse Reads

Application Security Program Handbook: A guide for software engineers and team leaders

Availability:
Only 1 left!
$49.99 - $49.99
$49.99
$55.99
$55.99 - $55.99
$55.99
Stop dangerous threats and secure your vulnerabilities without slowing down delivery. This practical book is a one-stop guide to implementing a robust application security program.

In the Application Security Program Handbook you will learn:

Why application security is so important to modern software
Application security tools you can use throughout the development lifecycle
Creating threat models
Rating discovered risks
Gap analysis on security tools
Mitigating web application vulnerabilities
Creating a DevSecOps pipeline
Application security as a service model
Reporting structures that highlight the value of application security
Creating a software security ecosystem that benefits development
Setting up your program for continuous improvement

The Application Security Program Handbook teaches you to implement a robust program of security throughout your development process. It goes well beyond the basics, detailing flexible security fundamentals that can adapt and evolve to new and emerging threats. Its service-oriented approach is perfectly suited to the fast pace of modern development. Your team will quickly switch from viewing security as a chore to an essential part of their daily work. Follow the expert advice in this guide and you’ll reliably deliver software that is free from security defects and critical vulnerabilities.

Purchase of the print book includes a free eBook in PDF, Kindle, and ePub formats from Manning Publications.

About the technology
Application security is much more than a protective layer bolted onto your code. Real security requires coordinating practices, people, tools, technology, and processes throughout the life cycle of a software product. This book provides a reproducible, step-by-step road map to building a successful application security program.

About the book
The Application Security Program Handbook delivers effective guidance on establishing and maturing a comprehensive software security plan. In it, you’ll master techniques for assessing your current application security, determining whether vendor tools are delivering what you need, and modeling risks and threats. As you go, you’ll learn both how to secure a software application end to end and also how to build a rock-solid process to keep it safe.

What's inside

Application security tools for the whole development life cycle
Finding and fixing web application vulnerabilities
Creating a DevSecOps pipeline
Setting up your security program for continuous improvement

About the reader
For software developers, architects, team leaders, and project managers.

About the author
Derek Fisher has been working in application security for over a decade, where he has seen numerous security successes and failures firsthand.

Table of Contents
PART 1 DEFINING APPLICATION SECURITY
1 Why do we need application security?
2 Defining the problem
3 Components of application security
PART 2 DEVELOPING THE APPLICATION SECURITY PROGRAM
4 Releasing secure code
5 Security belongs to everyone
6 Application security as a service
PART 3 DELIVER AND MEASURE
7 Building a roadmap
8 Measuring success
9 Continuously improving the program

ISBN-13: 9781633439818

Media Type: Paperback

Publisher: Manning

Publication Date: 12-27-2022

Pages: 296

Product Dimensions: 7.40(w) x 9.20(h) x 0.70(d)

Derek Fisher has been working in application security for over a decade, where he has seen both security successes and failures first hand.

Table of Contents

Foreword ix

Preface xi

Acknowledgments xii

About this book xiv

About the author xvii

About the cover illustration xviii

Part 1 Defining Application Security 1

1 Why do we need application security? 3

1.1 The role of an application security program 5

Software from concept to production 6

Where does application security fit? 7

1.2 The current state of application security 8

1.3 Why building security in is challenging 9

Trying to protect at runtime 10

Getting output from tools is not enough 11

Sifting signal from noise in security tools 11

1.4 Shifting right vs. shifting left in development 12

Shifting right in the development life cycle 14

Shifting right fails 15

Shifting left in the development life cycle 16

Shifting left fails 19

1.5 Is going left better than going right? 20

1.6 Application security needs you! 22

Democratizing application security 23

Users will be users 24

1.7 Examples of failing to secure the software 25

Solar Winds 25

Accellion 26

Fake software 27

2 Defining the problem 29

2.1 The CIA triad 30

2.2 Confidentiality 30

Data protection policy 31

Data at rest 32

Applying encryption 34

Data in transit 36

Encryption prior to transmission 39

Data in use 39

Not so confidential 40

Do I even need this? 41

2.3 Availability 41

DoS and DDoS 42

Accidental outage 43

The role of ransomware 43

Casino betting offline 44

Health organizations are still fair game 44

Building in resiliency 45

2.4 Integrity 46

Integrity starts with access 47

The role of version control 48

Data validation 49

Data replication 49

Data checks 50

2.5 Authentication and authorization 51

Authentication 51

Authorization 51

2.6 Adversaries 52

Script kiddies 52

Insider 53

Cybercriminal 54

Hacktivist and terrorist 54

Advanced persistent threat 55

Why do we care? 55

2.7 Measuring risk 56

Remediate, mitigate, accept 57

Identify the risk 58

Estimating likelihood 59

Estimating impact 60

Risk severity 60

Risk example 61

Other methodologies 62

3 Components of application security 64

3.1 Threat modeling 65

Basic threat modeling terminology 66

Manual threat modeling 68

Starting the manual process 69

Threat modeling with linking bank accounts 70

What to do with the found threats 72

Threat modeling using a tool 73

3.2 Security analysis tools 75

Static application security testing 77

Tools in the development environment 78

Dynamic application security testing 80

Software composition analysis 82

3.3 Penetration testing 84

3.4 Run-time protection tools 86

3.5 Vulnerability collection and prioritization 88

Integrating with defect tracking 88

Prioritizing vulnerabilities 89

Closing vulnerabilities 90

3.6 Bug bounty and vulnerability disclosure program 90

Vulnerability disclosure program 91

Bug bounty program 91

Third-party help with vulnerabilities 92

3.7 Putting it together 93

Part 2 Developing the application security program 97

4 Releasing secure code 99

4.1 Security in DevOps 100

DevOps pipelines 101

4.2 DevOps isn't the only game in town 102

Waterfall 102

Agile 104

Lean 106

DevOps supports security better 108

DevSecOps example 110

4.3 Application security tooling in the pipeline 112

Threat modeling in DevSecOps 112

SAST in DevSecOps 114

DAST and IAST in DevSecOps 115

SCA in DevSecOps 119

Run-time protection in DevSecOps 120

Security orchestration 122

Security education 124

4.4 Feedback loop 125

5 Security belongs to everyone 127

5.1 Security is everyone's problem 128

Structure of an application security team 129

Just hire more application security people 130

How to close the gap 132

5.2 Security education 132

Raising the security IQ 133

Microlearning and just-in-time training 135

It's more than just training 137

5.3 Standards, requirements, and reference architecture 138

Creating and driving standards 139

Creating reference architecture 142

Bringing requirements into the organization 144

5.4 Maturity models 145

OWASP SAMM 146

Building Security in Maturity Model 149

Addressing your security immaturity 152

5.5 Decentralized application security 152

Security champions program 153

Leveraging the decentralized model 155

6 Application security as a service 158

6.1 Managing risk during development 159

Defining and reducing risk 160

Define the application risk 160

Release-by-risk 163

6.2 Enablement instead of gates 168

Automate the release-by-risk 169

Removing the barriers by adding guardrails 170

6.3 Bridging engineering and security through services 172

The application security-as-a-service ecosystem 173

Services requested through tickets 176

Ambient application security 179

Part 3 Deliver and measure 183

7 Building a roadmap 185

7.1 Getting the current security posture 186

Going on tour 186

What tools exist? 188

What vulnerabilities do you have? 191

What additional information is available? 193

7.2 Understanding the organization's security goals 195

The organization's goals 195

The application security goals 196

Aligning the business and security goals 196

7.3 Identifying the gaps 197

Finding the immediate gaps 198

Input into the gap analysis 199

What to do with the gap analysis 201

7.4 Sample application security roadmap 202

Secure engineering education 203

Educating the application security team 205

Application security tools roadmap 207

Aligning engineering and security roadmaps 209

Building for the future 210

8 Measuring success 215

8.1 What to measure 216

Measuring the effectiveness of your tools 217

Tuning the tools based on feedback 217

Measuring the effectiveness of your processes 220

Measuring the mean time to remediate 221

Optimizing the mean time to remediate 222

8.2 Gathering effectiveness with KPIs 224

Building the KPIs 224

Setting KPI targets 226

Driving change based on KPIs 227

8.3 Getting feedback 229

Getting feedback from conversations 230

Getting feedback from surveys 230

8.4 Security scorecard 232

Preparing for the scorecard 233

Weighting the scores for the scorecard 235

Creating the scorecard 236

9 Continuously improving the program 240

9.1 Keeping ahead of the attacker 241

MITRE ATT&CK 242

Cyber Kill Chain 244

9.2 Threat catalogs 245

Applying the OWASP Top Ten 246

Applying the MITRE CANE Top 25 249

9.3 Staying ahead of engineering 250

Keeping up with the coding languages 251

Keeping up with the technology changes 251

When hiring and training aren't enough 253

9.4 Stop chasing the shiny new tool 254

Use a capability matrix 255

Managing the tool and vendor 256

Buy the shiny new tool 257

9.5 Preparing for the worst 258

Appendix Answers to exercises 263

Index 269