Table of contents
Please support this book: buy it (PDF, EPUB, MOBI)



This book begins by taking the reader to the 30,000’ view, so you can start to see the entire security landscape. I then attempt to explain a very simple threat modelling approach that I believe Bruce Schneier created, called the Sensible Security Model (SSM). We take the learnings from the first chapter and apply them to lower levels. I detail how to set-up a security focussed distribution with all the tools and configuration options required for working through the book. We then walk through the Process and Practises that the attackers often execute, and we take the learnings from that and train the defenders on how they can bring the finding of defects from the most expensive place to the cheapest place, within your Sprint cycles.

The rest of the book focusses on the specific areas addressed on the cover of this book.


My intention with “Holistic Info-Sec for Web Developers” is in many ways to help you answer your own questions and show you that creating systems and arming people to withstand the types of attacks commonly encounted today is not out of reach of mere mortals. That by simply lifting the lower hanging fruit for an attacker often means they will move on to an easier target. Unless they are specifically targeting you. In which case you should find many of the risks and countermeasures I address, effective for increasing the difficulty for your attacker, and thus dramatically increasing your chances of defence and counter-attack.


As I was travelling to New York City to speak at a technology architects conference from New Zealand, I had 17 hours to get quite a bit of work done, catch up on some book reading, podcast listening and do lots of thinking. It was on that flight that God gave me the concept for this book. I realised I was in a unique place as an architect, engineer and security professional, with a previous career in the physical construction industry, to be able to bridge the gap between the attacking side of our industry and those under attack. I had enough time to work out how best to approach the structure and content and started to shape it on my github wiki. Which was later used at a CampJS tutorial.
From working as a software engineer, I knew that my fellow engineers spent all their working concentration in tunnel vision and very rarely took the opportunity to step back from their code, config, hardware, PCBs and any other technical aspects that consumed their time in order to look at the entire security landscape that affects us all.

The reason I set out on the journey of distilling my knowledge and others into this form to be consumed by Web Developers, is because I saw the great need for it amongst my friends and colleagues.


Leanne Carter

Leanne Carter: For being the long suffering wife of a technologist that often puts his priorities in the wrong places. Leanne has a very pragmatic approach to everything, always seeing the simple (should be obvious) answers to everything. One of Leanne’s natural abilities is being able to walk into a room and lighten the mood instantly. Reviewing and proof editing.

Russ McRee

Russ McRee: For helping and chair leading with many aspects of the book writing and promoting process, for contacts, reaching out to them requesting favours. Technical Editing. Making sense of my writing and helping to shape and mould it into something that is easily readable by the target audience.

Drewe Hinkley: For contributing his knowledge to the Physical chapter.

Chris Campbell: For contributing phishing countermeasures to the People chapter.

Also be sure to review the Attributions chapter.


Bruce Schneier is an exceptionally talented person that turned his energies to information security, and often more specifically cryptography. Our industry owes a lot to Bruce for his insight and pragmatism in security.

Both Steve McConnell and Bob Martin have written several books that in my opinion remain timeless and capture the essence of what creating quality software means, with many clear guidelines as to how one should go about doing this. They also discuss the common issues of how a software engineer should go about converting defective projects into beautiful, functional and maintainable solutions. There are many other great software engineers that have written excellent guidance, but I always seem to come back to Bob and Steve’s books.

So many others that I would love to thank and owe a lot to being so generous in passing on their knowledge, insight and wisdom in regards to technology.

Next: Introduction