I don’t review every book I read, in fact I probably review about 1 in 3. I like to write about the books I found the most useful, and this book is certainly in that list. While it is a technical book, it is written in a conversational tone that made it easy to read. The book is circa 350 pages long and covers topics such as Network Security, Authentication, Authorization, Database Security, Filesystem Security, Same Origin Policy, XSS, and CSRF.
Network Security
The premise of the book is that companies spend a lot of money on security, the bulk of which goes towards securing their networks via firewalls. Most successful attacks however are against their applications directly and are typically authorised by the network. The successful attacks use vulnerabilities in their applications’ logic to make applications run malicious code against themselves. The metaphorical equivalent of hitting yourself intentionally.
Attack Surface
The attack surface of an application is the amount of possible ways there are to attack it. Features that do not get written are not exploitable, but even features that do get written can be written in ways that have optional functionality that can be enabled but that is turned off by default. Login screens with “remember me” buttons are great examples. If sessions are not permanent, the application won’t be exposed to some forms of session hijacking: the attack surface is reduced.
Authentication
Authentication is the process of proving one’s identity. There are three factors to authentication: what you know (password), what you have (passport, authentication code), and who you are (bio-metrics). Most websites use 1 factor auth, but some that need to be more secure use 2 factor auth. The biggest chapter in the book, it covers topics such as password strength, reiterative hashing algorithms, password salting, rainbow tables, and session cookie vs permanent cookies.
Authorization
If authentication is the process of knowing who a user is, authorization is the process of determine if a user has the rights to access specific resources. Be the resource a file, a table or a row in a database, the right to read vs write, etc. Checking for these permissions needs to happen in the business logic.
Same Origin Policy
The browser has strong Same Origin Policies that prevents developers and attackers to read responses from just any AJAX requests, or reading the contents of iframes. One of the reason for this is for example to stop a malicious web author from creating a website that would be able to fetch sensitive information from big banks servers. Without the Same Origin Policy this might work, as the user’s session cookie would be sent with each request and the banks server.
XSS
Cross Site Scripting should essentially have been named JavaScript Injection, although it is also possible to inject some HTML that can also make HTTP requests such as <img /> and <form /> elements. There are different types of XSS attacks. But they more or less work the same way, they treat data as code and insert it carefully into the page.
CSRF
Cross Site Request Forgery is another popular attack where an attacker makes an HTTP on behalf of the user that modifies data on a service the user is currently authenticated in, the user is then usually unable to read back to the answer because of CORS, but by point the damage has usually been done.
Database Security
It is possible to inject malicious SQL into a database: this is called a SQL Injection attack. This can work when the server does not validate the input it receives, and does not escape it. Fascinatingly, it is also possible to do blind SQL Attacks where the attacker is eventually able to guess the value in entire databases effectively by timing how long it takes for a truthy answer to execute versus an error.
Filesystem Security
Some apps do not manage their file access permissions correctly and this can be possible to exploit. For example if a filename appears in the URL or an <img /> tag of a page an attacker is visiting, he might in some cases be able to easily find other files in the same directory or do a Dot-Dot-Slash attack whereby he is able to explore the whole filesystem.
Secure Software Development Processes
Finally the book touches on secure processes whereby teams bake in security from the start of their creative process rather than as an after thought. Product managers could include a security assessment step in their kanban flows, and CI/CD pipelines could include automated source code checks and black box checks to minimise the risk of dangerous features.
Daniel Leaver 