+612 9045 4394
Foundations of Security : What Every Programmer Needs to Know - Christoph Kern

Foundations of Security

What Every Programmer Needs to Know

Paperback Published: 1st February 2007
ISBN: 9781590597842
Number Of Pages: 290

Share This Book:


RRP $81.27
Ships in 7 to 10 business days

Foundations of Security: What Every Programmer Needs to Know teaches new and current software professionals state-of-the-art software security design principles, methodology, and concrete programming techniques they need to build secure software systems. Once you're enabled with the techniques covered in this book, you can start to alleviate some of the inherent vulnerabilities that make today's software so susceptible to attack. The book uses web servers and web applications as running examples throughout the book.

For the past few years, the Internet has had a "wild, wild west" flavor to it. Credit card numbers are stolen in massive numbers. Commercial web sites have been shut down by Internet worms. Poor privacy practices come to light and cause great embarrassment to the corporations behind them. All these security-related issues contribute at least to a lack of trust and loss of goodwill. Often there is a monetary cost as well, as companies scramble to clean up the mess when they get spotlighted by poor security practices.

It takes time to build trust with users, and trust is hard to win back. Security vulnerabilities get in the way of that trust. Foundations of Security: What Every Programmer Needs To Know helps you manage risk due to insecure code and build trust with users by showing how to write code to prevent, detect, and contain attacks.

  • The lead author co-founded the Stanford Center for Professional Development Computer Security Certification.
  • This book teaches you how to be more vigilant and develop a sixth sense for identifying and eliminating potential security vulnerabilities.
  • You'll receive hands-on code examples for a deep and practical understanding of security.
  • You'll learn enough about security to get the job done.

From the reviews:

"It is written based on a course for beginning programmers. ... The book has three main parts: security design principles, secure programming techniques, and an introduction to cryptography. ... Exercises are included at the end of each part in order to provide suggestions for getting hands-on experience." (A. Mariƫn, ACM Computing Reviews, Vol. 49 (5), May, 2008)

Forewordp. xv
About the Authorsp. xvii
About the Technical Reviewerp. xix
Acknowledgmentsp. xxi
Prefacep. xxiii
Security Design Principles
Security Goalsp. 3
Security Is Holisticp. 3
Physical Securityp. 4
Technological Securityp. 4
Policies and Proceduresp. 6
Authenticationp. 7
Something You Knowp. 7
Something You Havep. 8
Something You Arep. 10
Final Notes on Authenticationp. 11
Authorizationp. 12
Access Control Lists (ACLs)p. 13
Access Control Modelsp. 14
The Bell-LaPadula Modelp. 15
Confidentialityp. 17
Message/Data Integrityp. 18
Accountabilityp. 19
Availabilityp. 20
Non-repudiationp. 21
Concepts at Workp. 22
Secure Systems Designp. 25
Understanding Threatsp. 25
Defacementp. 26
Infiltrationp. 26
Phishingp. 27
Pharmingp. 28
Insider Threatsp. 28
Click Fraudp. 29
Denial-of-Service (DoS)p. 29
Data Theft and Data Lossp. 30
Designing-In Securityp. 30
Windows 98p. 31
The Internetp. 31
Turtle Shell Architecturesp. 34
Convenience and Securityp. 35
SimpleWebServer Code Examplep. 35
Hypertext Transfer Protocol (HTTP)p. 35
Code Walkthroughp. 36
Security in Software Requirementsp. 44
Specifying Error Handling Requirementsp. 44
Sharing Requirements with Quality Assurance (QA)p. 46
Handling Internal Errors Securelyp. 47
Including Validation and Fraud Checksp. 48
Writing Measurable Security Requirementsp. 50
Security or Bustp. 50
Security by Obscurityp. 51
Flaws in the Approachp. 51
SimpleWebServer Obscurityp. 52
Things to Avoidp. 55
Open vs. Closed Sourcep. 57
A Game of Economicsp. 58
"Good Enough" Securityp. 59
Secure Design Principlesp. 61
The Principle of Least Privilegep. 61
Defense-in-Depthp. 63
Prevent, Detect, Contain, and Recoverp. 63
Don't Forget Containment and Recoveryp. 64
Password Security Examplep. 65
Diversity-in-Defensep. 65
Securing the Weakest Linkp. 66
Weak Passwordsp. 66
Peoplep. 66
Implementation Vulnerabilitiesp. 67
Fail-Safe Stancep. 67
SimpleWebServer Fail-Safe Examplep. 67
Attempted Fix 1: Checking the File Lengthp. 69
Attempted Fix 2: Don't Store the File in Memoryp. 69
Fix: Don't Store the File in Memory, and Impose a Download Limitp. 70
Secure by Defaultp. 71
Simplicityp. 72
Usabilityp. 73
Security Features Do Not Imply Securityp. 74
Exercises for Part 1p. 77
Secure Programming Techniques
Worms and Other Malwarep. 83
What Is a Worm?p. 83
An Abridged History of Wormsp. 84
The Morris Worm: What It Didp. 84
The Morris Worm: What We Learnedp. 85
The Creation of CERTp. 86
The Code Red Wormp. 86
The Nimda Wormp. 87
The Blaster and SQL Slammer Wormsp. 87
More Malwarep. 89
Buffer Overflowsp. 93
Anatomy of a Buffer Overflowp. 93
A Small Examplep. 94
A More Detailed Examplep. 94
The safe_gets() Functionp. 98
Safe String Librariesp. 100
Additional Approachesp. 101
StackGuardp. 101
Static Analysis Toolsp. 102
Performancep. 103
Heap-Based Overflowsp. 103
Other Memory Corruption Vulnerabilitiesp. 103
Format String Vulnerabilitiesp. 104
Integer Overflowsp. 104
Client-State Manipulationp. 107
Pizza Delivery Web Site Examplep. 108
Attack Scenariop. 110
Solution 1: Authoritative State Stays at Serverp. 112
Solution 2: Signed State Sent to Clientp. 114
Using HTTP POST Instead of GETp. 117
Cookiesp. 119
JavaScriptp. 121
SQL Injectionp. 123
Attack Scenariop. 124
Solutionsp. 130
Why Blacklisting Does Not Workp. 130
Whitelisting-Based Input Validationp. 132
Escapingp. 132
Second Order SQL Injectionp. 133
Prepared Statements and Bind Variablesp. 134
Mitigating the Impact of SQL Injection Attacksp. 136
Password Securityp. 139
A Strawman Proposalp. 139
Hashingp. 141
Offline Dictionary Attacksp. 143
Saltingp. 144
Online Dictionary Attacksp. 150
Additional Password Security Techniquesp. 151
Strong Passwordsp. 151
"Honeypot" Passwordsp. 151
Password Filteringp. 151
Aging Passwordsp. 152
Pronounceable Passwordsp. 152
Limited Login Attemptsp. 152
Artificial Delaysp. 152
Last Loginp. 153
Image Authenticationp. 153
One-Time Passwordsp. 154
Cross-Domain Security in Web Applicationsp. 155
Interaction Between Web Pages from Different Domainsp. 156
HTML, JavaScript, and the Same-Origin Policyp. 156
Possible Interactions of Documents from Different Originsp. 157
HTTP Request Authenticationp. 159
Lifetime of Cached Cookies and HTTP Authentication Credentialsp. 160
Attack Patternsp. 161
Cross-Site Request Forgery (XSRF)p. 162
Cross-Site Script Inclusion (XSSI)p. 164
Cross-Site Scripting (XSS)p. 165
Preventing XSRFp. 169
Inspecting Referer Headersp. 170
Validation via User-Provided Secretp. 170
Validation via Action Tokenp. 171
Security Analysis of the Action Token Schemep. 173
Preventing XSSIp. 176
Authentication via Action Tokenp. 176
Restriction to POST Requestsp. 177
Preventing Resource Access for Cost Reasonsp. 177
Preventing XSSp. 178
General Considerationsp. 179
Simple Textp. 180
Tag Attributes (e.g., Form Field Value Attributes)p. 181
URL Attributes (href and src)p. 183
Style Attributesp. 185
Within Style Tagsp. 186
In JavaScript Contextp. 186
JavaScript-Valued Attributesp. 189
Redirects, Cookies, and Header Injectionp. 190
Filters for "Safe" Subsets of HTMLp. 191
Unspecified Charsets, Browser-Side Charset Guessing, and UTF-7 XSS Attacksp. 192
Non-HTML Documents and Internet Explorer Content-Type Sniffingp. 193
Mitigating the Impact of XSS Attacksp. 194
Exercises for Part 2p. 197
Introduction to Cryptography
Symmetric Key Cryptographyp. 203
Introduction to Encryptionp. 204
Substitution Ciphersp. 204
Notation and Terminologyp. 205
Block Ciphersp. 205
Security by Obscurity: Recapp. 208
Encrypting More Datap. 208
AES Code Examplep. 210
Stream Ciphersp. 217
One-Time Padp. 217
RC4p. 217
Steganographyp. 219
What Is Steganography?p. 219
Steganography vs. Cryptographyp. 220
Asymmetric Key Cryptographyp. 221
Why Asymmetric Key Cryptography?p. 221
RSAp. 223
Elliptic Curve Cryptography (ECC)p. 223
Symmetric vs. Asymmetric Key Cryptographyp. 224
Certificate Authoritiesp. 224
Identity-Based Encryption (IBE)p. 225
Authentication with Encryptionp. 225
Key Management and Exchangep. 227
Types of Keysp. 227
Identity Keysp. 227
Conversation or Session Keysp. 227
Integrity Keysp. 228
Key Generationp. 228
Random Number Generationp. 229
The rand() functionp. 230
Random Device Filesp. 230
Random APIsp. 231
Key (Secret) Storagep. 231
Keys in Source Codep. 231
Storing the Key in a File on Diskp. 233
"Hard to Reach" Placesp. 233
Storing Secrets in External Devicesp. 233
Key Agreement and Exchangep. 235
Using Asymmetric Keysp. 236
Diffie-Hellman (DH)p. 236
MACs and Signaturesp. 239
Secure Hash Functionsp. 239
Message Authentication Codes (MACs)p. 240
CBC MACsp. 240
HMACp. 241
Signaturesp. 242
Certificates and Certificate Authorities (CAs)p. 243
Signing and Verifyingp. 246
Registration Authorities (RAs)p. 246
Web of Trustp. 247
Attacks Against Hash Functionsp. 247
SSLp. 247
Server-Authenticated-Onlyp. 248
Mutual Authenticationp. 249
Exercises for Part 3p. 251
Defense-in-Depth: The FLI Modelp. 255
Protecting Against Failurep. 256
Protecting Against Liesp. 257
Protecting Against Infiltrationp. 257
Other Techniquesp. 258
Using an FLI-like Modelp. 258
Referencesp. 258
Source Code Listingsp. 261
Referencesp. 267
Indexp. 277
Table of Contents provided by Ingram. All Rights Reserved.

ISBN: 9781590597842
ISBN-10: 1590597842
Series: Expert's Voice
Audience: General
Format: Paperback
Language: English
Number Of Pages: 290
Published: 1st February 2007
Publisher: Apress
Country of Publication: US
Dimensions (cm): 23.37 x 18.8  x 1.78
Weight (kg): 0.59