Holistic Info-Sec for Web Developers
About the book
Holistic Info-Sec for Web Developers - Fascicle 1 …
The second part of a three part book series providing broad and in-depth coverage on what Software Developers, Engineers and architects need to know in order to create robust, reliable, maintainable and secure software, networks and other, that are delivered continuously, on time, with no nasty surprises.
The full book series can be found here.
To keep up with or review progress, you can view the release notes.
This Fascicle (part of the three part book series) is now content complete, in technical review, and available to read online, purchase electronic or hard copy.
Fascicle 1 focusses on:
- VPS: Apply learnings from first four chapters of Fascicle 0 to topic of VPS security
- Network: Apply learnings from first four chapters of Fascicle 0 to topic of Network security
- Cloud: Apply learnings from first four chapters of Fascicle 0 to topic of Cloud security
- Web Applications: Apply learnings from first four chapters of Fascicle 0 to topic of Application security
The book series begins (in Fascicle 0) by taking the reader to the 30,000’ view, so you can start to see the entire security landscape. Kim then attempts to explain a very simple threat modelling approach that Bruce Schneier created, called the Sensible Security Model (SSM). Kim takes the learnings from the first chapter and applies them to lower levels. Kim details how to set-up a security focussed distribution with all the tools and configuration options required for working through the book series. He then walks through the Process and Practises that the attackers often execute, and we take the learnings from that and train the defenders on how they can bring the finding of defects from the most expensive place to the cheapest place, within your Sprint cycles.
The rest of the book series (Fascicle 1 and 2) focusses on the specific areas addressed on the covers of each book. Allowing your purple team to create security focussed product backlog items and insert them into your usual Product Backlog.
Kim also runs trainings based on the content of this book for development teams wishing to improve their security stature.
My intention with the “Holistic Info-Sec for Web Developers” series is in many ways to help you answer your own questions and show you that creating systems and arming people to withstand the types of attacks commonly encountered today is not out of reach of mere mortals. That by simply lifting the lower hanging fruit for an attacker often means they will move on to an easier target. Unless they are specifically targeting you. In which case you should find many of the risks and countermeasures I address, effective for increasing the difficulty for your attacker, and thus dramatically increasing your chances of defence and counter-attack.
You can reach Kim at his github where the work takes place, from his website, or twitter @binarymist.
Errata (errors, typos, etc.)
About the author
Kim Carter spends most of his time engineering technical solutions with a focus on shifting security into the development team. He also likes to pass his knowledge, experience and tricks of the trade onto others, and carries out many training classes.
Kim also runs two information security conferences (OWASP NZ Day and Christchurch Hacker Conference), is a host on Software Engineering Radio and blogs at blog.binarymist.net.