Alice and Bob Learn Secure Coding

Unlock the power of secure coding with this straightforward and approachable guide!

Discover a game-changing resource that caters to developers of all levels with Alice and Bob Learn Secure Coding. With a refreshing approach, the book offers analogies, stories of the characters Alice and Bob, real-life examples, technical explanations and diagrams to break down intricate security concepts into digestible insights that you can apply right away. Explore secure coding in popular languages like Python, Java, JavaScript, and more, while gaining expertise in safeguarding frameworks such as Angular, .Net, and React. Uncover the secrets to combatting vulnerabilities by securing your code from the ground up!

Topics include:

• Secure coding in Python, Java, Javascript, C/C++, SQL, C#, PHP, and more
• Security for popular frameworks, including Angular, Express, React, .Net, and Spring
• Security Best Practices for APIs, Mobile, Web Sockets, Serverless, IOT, and Service Mesh
• Major vulnerability categories, how they happen, the risks, and how to avoid them
• The Secure System Development Life Cycle, in depth
• Threat modeling, testing, and code review
• The agnostic fundamentals of creating secure code that apply to any language or framework

Alice and Bob Learn Secure Coding is designed for a diverse audience, including software developers of all levels, budding security engineers, software architects, and application security professionals. Immerse yourself in practical examples and concrete applications that will deepen your understanding and retention of critical security principles.

Alice and Bob Learn Secure Coding illustrates all the included concepts with easy-to-understand examples and concrete practical applications, furthering the reader’s ability to grasp and retain the foundational and advanced topics contained within. Don't miss this opportunity to strengthen your knowledge; let Alice and Bob guide you to a secure and successful coding future.

Foreword xxvii

Introduction xxix

Part I General Advice 1

Chapter 1 Introductory Security Fundamentals 3

Assume All Other Systems and Data Are Insecure 3

The CIA Triad 4

Least Privilege 6

Secure Defaults/Paved Roads 8

Assume Breach / Plan For Failure 9

Zero Trust 9

Defense in Depth 10

Supply Chain Security 10

Security by Obscurity 11

Attack Surface Reduction 11

Usable Security 12

Fail Closed/Safe, Then Roll Back 12

Compliance, Laws, and Regulations 12

Security Frameworks 14

Learning from Mistakes and Sharing Those Lessons 16

Backward Compatibility (and Potential Risks It Introduces) 16

Threat Modeling 16

The Difficulty of Patching 17

Retesting Fixes for New Security Bugs 18

Chapter Exercises 19

Chapter 2 Beginning 21

Follow a Secure System Development Life Cycle 21

Use a Modern Framework and All Available Security Features Within 22

Input Validation 23

Output Encoding 26

Examples of Output Encoding 27

HTML Context 28

JavaScript Context 28

Parameterized Queries and ORMs 29

Authentication and Identity 31

Authorization and Access Control 32

Access Control Models 33

Logical Access Control Methods (Implementation) 34

Session Management 34

Secret Management 35

Password Management 37

Communication Security (Cryptography and HTTPS Only) 39

Protecting Sensitive Data 40

Security Headers 43

New Security Header Features 43

Fetch Metadata Request Headers 43

Content Security Policy Header 44

Strict-Dynamic 44

Trusted-Types 44

Security Headers Previously Covered 44

Content-Security-Policy Header 45

HTTP Strict-Transport-Security 45

X-Frame-Options 45

X-Content-Type-Options 45

Permissions Policy 46

Expect-CT 46

Referrer-Policy 46

Public Key Pinning Extension for HTTP (HPKP) 46

X-XSS-Protection 46

More New Headers 46

Same-Origin Policy 47

COEP: Cross-Origin Embedder Policy 47

COOP: Cross-Origin Opener Policy 48

CORP: Cross-Origin Resource Policy 48

CORS: Cross-Origin Resource Sharing 48

CORB: Cross-Origin Read Blocking 49

Secure Cookies 50

Error Handling 51

Chapter Exercises 52

Chapter 3 Improving 55

Database Security 56

Four Perspectives for Protecting Databases 56

File Management 59

File Uploads 61

Your Source Code 62

Memory Management (Buffer, Stack, String, and Integer Overflows) 63

How Do We Avoid Overflows? 64

(De)Serialization 66

Privacy (User/Citizen/Customer/Employee) 67

Errors 69

Logging, Monitoring, and Alerting 72

Fail Closed 73

Locking Resources 73

Enabling Password Managers 74

Cryptographic Practices 75

Strongly Typed Languages 76

Strongly Typed Languages 76

Weakly Typed Programming Languages 77

Domain-Driven Development 78

Memory-Safe Languages 79

Chapter Exercises 80

Chapter 4 Achieving 81

Secure Design 82

How much is “enough” (design) security? 84

Dependency Management and Supply Chain Security 85

Dependency Security 86

Checking If Dependencies Are Safe to Use 87

Supply Chain Security 87

Secure Defaults 90

Secure Defaults for Users 90

Secure Defaults for Developers 92

Readable and Auditable Code 93

Important Functions Happen on Trusted Systems 96

What Is an “Untrusted” System? 96

What Are “Important Functions”? 97

Putting It Together 97

Allowlists versus Blocklists 97

Why Are Block Lists Bad? 98

How Do We Create an Allowlist? 98

Secure Configurations 99

Hostname Validation 100

Reusable Code 100

Safe System Calls 102

Mitigating Circumstances 102

Commenting and Other Documentation 102

Comments 103

Documentation 104

Verification of User Consent 106

Integrity Checks, Code Signing, and Immutable Builds 107

Immutable Builds 108

Avoiding Brute Force 109

Security Controls 110

Handling Elevated Privileges 111

Security Maintenance 112

Repaying Technical Debt 113

Chapter Exercises 114

Summary of Part I 117

Checklist of General Secure Coding Advice 117

Part II Specific Advice 125

Chapter 5 Technology-Specific 127

API Security Best Practices 127

Mobile Application Security Best Practices 134

WebSocket Security Best Practices 137

Serverless Security Best Practices 138

IoT Security Best Practices 140

Chapter Exercises 141

Chapter 6 Popular Programming Languages 143

JavaScript 143

Html/css 148

HTML5, Specifically 149

Python 151

Sql 154

Node.js 157

Java 160

Serialization in Java 164

TypeScript 165

C# 166

Php 170

C/c++ 175

Conclusion 178

Chapter Exercises 179

Chapter 7 Popular Frameworks 181

Web and JavaScript 181

Express 182

React.js 184

Angular 186

jQuery 190

Vue.js 192

Other Frameworks and Libraries 194

.NET (Core) 194

Ruby on Rails 199

Spring and Spring Boot 204

Flask 207

Chapter Exercises 210

Chapter 8 Vulnerability Categories 211

Design Flaws / Logic Flaws 212

How Does This Happen? 213

The Risk 213

Prevention 214

Code Bugs / Implementation Errors 215

How Does This Happen? 215

The Risk 215

Prevention 215

Overflows and Other Memory Issues 216

Overflows 216

Buffer Overreads 217

Invalid Page Faults 217

Use After Free 218

Uninitialized Variables 218

Memory Leaks 218

How Does This Happen? 219

The Risk 219

Prevention 219

Injection: Interpreter and Compiler Issues 220

How Does This Happen? 221

The Risk 221

Prevention 221

Input Issues 222

How Does This Happen? 223

The Risk 223

Prevention 223

Authentication and Identity Issues 223

How Does This Happen? 224

The Risk 224

Prevention 224

Authorization and Access Issues 225

How Does This Happen? 225

Configuration and Implementation Issues 225

How Does This Happen? 226

The Risk 226

Prevention 226

Fraudulent Transactions 227

How Does This Happen? 227

The Risk 227

Prevention 228

Replay Attacks 228

How Does This Happen? 228

The Risk 229

Prevention 229

Crossing Trust Boundaries 229

How Does This Happen? 230

The Risk 230

Prevention 230

File Handling Issues 230

How Does This Happen? 231

The Risk 231

Prevention 231

Object Handling Issues 232

Prominent Features of OOP 232

Deserialization and Other Object Handling Issues 234

How Does This Happen? 234

The Risk 234

Prevention 234

Secrets Management Issues 235

How Does This Happen? 236

The Risk 236

Prevention 236

Race Conditions and Timing Issues 237

How Does This Happen? 237

The Risk 238

Prevention 238

Resource Issues 240

How Does This Happen? 240

The Risk 241

Prevention 241

Falling into an Unknown State 241

How Does This Happen? 242

The Risk 242

Prevention 242

Chapter Exercises 243

Summary of Part II 245

Checklist of Technology-Specific Secure Coding Advice 245

Checklist of Secure Coding Advice for Languages and Frameworks 246

Summary of Vulnerability Issues to Watch For 248

Part III Secure System Development Life Cycle 251

Chapter 9 Requirements 253

Project Kick-Off: Outline of Your Project’s Security Activities 253

Project Scheduling and Planning 254

Security Requirements 255

Chapter Exercises 257

Chapter 10 Design 259

Threat Modeling 260

Secure Design Patterns and Concepts 262

Architecture Whiteboarding 263

Examining Data Flows 263

Security User Stories 264

Chapter Exercises 265

Chapter 11 Coding 267

Training 267

Organizations 269

Individuals 270

Code Review 270

First- and Second-Generation Static Analysis Tools 271

Secure Guardrails 272

IDE Plugins and Other Guidance 273

Verifying That Your Dependencies Are Safe (SCA) 274

How Do You Decide Which Dependencies Are Worth Updating or Changing? 274

Finding and Managing Secrets 275

Dynamic Testing (DAST) 276

Chapter Exercises 278

Chapter 12 Testing 279

Test Coverage and Timing 280

Depth Versus Coverage 281

Scanning Your Infrastructure 281

Production or Lower-Level Environments 281

Scoping 282

Timing 282

Manual Testing 284

Automated Testing 286

Fuzzing 287

Interactive Application Security Testing (IAST) 288

Bug Bounty Programs 289

Test Results 290

Actioning Test Results 291

Final Thoughts 293

Chapter Exercises 293

Chapter 13 Release/Deployment 295

Security Events Within the CI/CD 296

Breaking the Build 297

Secret Scanning 298

Static Analysis 298

Dynamic Analysis 298

Software Composition Analysis 299

Linting 299

Infrastructure as Code scanners 299

Securing the CI/CD Pipeline Itself 299

Assuring the Integrity of Your Release 302

Security Release Approval 303

Chapter Exercises 304

Chapter 14 Maintenance 305

Monitoring, Alerting, and Observability 306

Blocking/Shielding 308

Web Application Firewalls (WAFs) 309

Content Delivery Networks (CDNs) 309

Runtime Application Self-Protection (RASP) 310

Virtual Patching 310

API Gateways 310

A Special Note for Data Scientists 311

Continuous Testing 312

Security Incidents 313

Business Continuity and Disaster Recovery Planning 315

Chapter Exercises 317

Chapter 15 Conclusion 319

Good Habits 319

Your Responsibility 322

How Much Is Enough? 323

Using Artificial Intelligence Safely 325

Continuous Learning 327

Becoming a Champion 328

Getting Others on Board 330

Transitioning onto the Security Team 330

Applying for Security Jobs Outside of Your Organization 331

Conclusion 335

Summary of Part III 339

Checklist of Security Activities for Each Phase of the SDLC 339

Appendix A Resources 343

Chapter 1: Introductory Security Fundamentals 343

Chapter 2: Beginning 344

Chapter 3: Improving 345

Chapter 4: Achieving 347

Chapter 5: Technology-Specific 349

Chapter 6: Popular Programming Languages 351

Chapter 7: Popular Frameworks 355

Chapter 8: Vulnerability Categories 357

Chapter 10: Design 359

Chapter 11: Coding 359

Chapter 12: Testing 359

Chapter 13: Release/Deployment 360

Chapter 14: Maintenance 360

Appendix B Answer Keys 361

Chapter 1: Introductory Security Fundamentals 361

Chapter 2: Beginning 363

Chapter 3: Improving 364

Chapter 4: Achieving 365

Chapter 5: Technology-Specific 368

Chapter 8: Vulnerability Categories 370

Chapter 9: Requirements 371

Chapter 11: Coding 372

Chapter 12: Testing 373

Chapter 13: Release/Deployment 374

Chapter 14: Maintenance 375

Index 377

Tanya Jance, aka SheHacksPurple, is the best-selling author of Alice and Bon Learn Application Security and Cards Against AppSec. Over her 28-year IT Career she has won countless awards (including OWASP Lifetime Distinguished Member and Hacker of the Year), spoken all over the planet, and is a prolific blogger. Tanya has trained thousands of software developers and IT security professionals, via her online academies (We Hack Purple and Semgrep Academy), and her live training programs. Having performed counter-terrorism, led security for 52nd Canadian general election, developed or secured countless applications, Tanya Janca is widely considered an international authority on the security of software.

"Tanya's book on Secure Coding is a brilliant example of what makes her a great expert and teacher. She takes complex material and makes it human, using clear, direct, and conversational language that sets it apart from most other books on similar topics. Her direct style shows that rather than trying to look smart, she's actually teaching! The book is a welcome inhalation of pure knowledge."
—DANIEL MIESSLER, Founder of Unsupervised Learning

"Tanya is a master at breaking down complex technical topics and making them both easily understandable and fun! I wish this book existed when I was first learning cybersecurity, as it's an excellent resource for security fundamentals and principles, important key tips for the most popular programming languages and frameworks, and how to follow a Secure System Development Life Cycle, along with tons of fun anecdotes and examples. Highly recommended for anyone who wants to rapidly learn a ton about secure coding from an industry veteran."
—CLINT GIBLER, Head of Security Research at Semgrep and Founder of tl;dr sec

"This book is hands-down one of the best resources out there for learning how to write secure code. The author has an incredible talent for breaking down tough security concepts and making them approachable without watering down the details. Each topic is presented in a way that feels thoughtful and intentional, and the examples are where the magic happens—they're clear, relatable, and most importantly, actionable. These aren't just 'nice-to-see' examples; they're the kind of scenarios you'll encounter in real projects, and they teach you exactly how to handle them securely.

What sets this book apart is its ability to cater to everyone, from beginners who are just getting their feet wet to experienced professionals looking to level up their skills. It doesn't just teach secure coding—it teaches you how to think about security as part of your coding process, which is invaluable in today's tech landscape.

If you've ever struggled to find a resource that connects the dots between theory and practical application, this book does that effortlessly. It's not just about writing code; it's about writing smart, secure code that stands the test of time. Whether you're a developer, a security enthusiast, or just someone who wants to get security right, this book is a must-have. Honestly, it's not just a read—it's a game-changer."
—VANDANA VERMA, Security Relations Leader, Founder of InfoSec Girls & InfoSec Kids, OWASP BoD and Leader

"If you're interested in learning about secure coding, this book is for you. Computer science student? Professional software engineer? Product manager for a software product? Executive at a software manufacturer? This is a book you will definitely want to read. Tanya's approach is refreshingly accessible and direct. She immediately addresses popular languages and frameworks before taking an in-depth approach to secure coding practices as they apply to each and every phase in the software development lifecycle. This book is your authoritative guide to secure coding. Learn and enjoy!"
—CAROLINE WONG, Author & Cybersecurity Expert Practitioner

"Tanya Janca's latest book is a must-read for developers looking to enhance their secure coding practices. By leading step-by-step and referencing real-world examples, she not only helps developers write stronger, more resilient code but also empowers them to lead by example. This book makes it clear how simple, intentional changes can dramatically reduce vulnerabilities and make it much harder for bad actors to exploit your work."
—GARY PERKINS, CISO

"Alice and Bob Learn Secure Coding is almost as good as having Tanya in your office, chatting with you about application security concepts and details. You'll have a great time reading this book and will learn a lot along the way."
—ADAM SHOSTACK, Security Trainer, Author, Speaker, Threat Modeling expert

"In all matters Security, trust is earned, not given. In this book, Tanya solidifies the trust she earned in her first book, Alice and Bob Learn Application Security, this time as a source of Secure Coding wisdom and knowledge. Teams will be well served from learning the adventures of Alice and Bob as they journey towards more secure code!"
—IZAR TARANDACH, author of Threat Modeling: A Practical Guide for Development Teams

"I love how the author gives the big picture and context to secure coding, so the readers can be like Alice and Bob who are also learning the approach, the architecture, the framework, and the right mindset!"
—YABING WANG, VP & CISO, Justworks

"Want to stand out and take your software engineering career to the next level? You'll need to go beyond simply 'making it work' and learn how to write high-quality and secure code. Fortunately, Tanya's unique skill and commitment to breaking down complex information, without sacrificing rich, detailed technical content, will make it easy for you to get started. This is a fantastic book for any software engineer to learn not just why, but HOW to write secure software, a skill that's much desired and highly valued in today's turbulent high-tech world."
—DUSTIN LEHR, Co-founder, CPTO of Katilyst Security, Founder of Let's talk Software Security, and author of the Security Champion Program Success Guide

"I remember attending a working session that Tanya was providing at a conference several years ago. The session was not only technical but included levity and storytelling. This book is an extension of that effective method of teaching and brings the full range of techniques, tools, and processes that are needed to build secure systems. This book is a must-have for anyone who is building or maintaining a secure system."
—DEREK FISHER, Founder, Securely Built

"This book is a modern equivalent of the pragmatic programmer for secure programming, taking you all the way from beginner to journeyman secure developer. It even has Tanya's own tales from the trenches."
—SHANE MURNION, Application Security Specialist

If you want simple, easy to follow guidance about secure coding, from a verified authority on the subject, this book is for you."
—TED HARRINGTON, #1 bestselling author, co-founder of both IoT Village and StartVRM, and Executive Partner at ISE

"From a CISO's perspective, Alice and Bob Learn Secure Coding is more than just a book—it's a strategic tool for embedding security into the organizational culture and aligning security with value-driven FinOps principles.

Like Tanya's other books, this drives transformation, enabling teams to move from reactive to proactive security. It underscores a critical truth: the earlier vulnerabilities are identified and fixed in the development lifecycle, the cheaper and more efficient it is to address them, saving time, conserving resources, and significantly reducing risk.

This proactive approach not only mitigates threats but also significantly increases asset value. After all, secure and reliable code is the foundation for every stable system."
—RAJAT RAVINDER VARUNI, CISO, SuccessKPI

"Tanya Janca's Alice and Bob Learn Secure Coding is an absolute triumph of technical writing. Building on the charm and accessibility of her first book, Tanya dives deeper into the world of secure coding, tackling one of the most pressing challenges in software development today. What sets this book apart is Tanya's ability to balance technical depth with an engaging and light-hearted tone, making complex concepts approachable for readers across all skill levels.

This book is packed with actionable insights, from detailed explanations of common vulnerabilities to practical strategies for avoiding them. Yet, it never feels overwhelming. Tanya's narrative style—peppered with humor and real-world analogies—keeps the subject matter fresh and enjoyable. It's rare to find a technical book that's as fun to read as informative, but Tanya achieves this effortlessly.

For seasoned professionals, Alice and Bob Learn Secure Coding offers a comprehensive refresher and new perspectives on evolving threats and solutions. For newcomers, it's a masterclass in the fundamentals of secure coding, presented in a way that's both digestible and inspiring. The book's structure ensures readers can easily navigate and revisit topics as needed, making it a valuable reference for years.

In short, this is a must-read for anyone who writes code or works in application security. Tanya Janca has once again proven why she's at the forefront of the industry. Alice and Bob Learn Secure Coding is not just a book—it's an investment in better, safer software for everyone."
—FRANCESCO CIPOLLONE, CEO & Founder @ Phoenix Security

"Tanya Janca has written a second book in her poignant and informative Alice and Bob series. This time the dynamic duo is learning secure coding. And like its predecessor, there is much wisdom to glean and stuff to learn from her years of experience.

This is not the kind of book that you start at the first chapter and read it all the way through. You are going to want to use it as a study guide, to fill in the gaps in your knowledge about secure coding practice and methods. Like her earlier book, she won't divulge much about specific vendor tools, but something more important: how to use the application development platforms and tools to make you a better programmer and one that can identify and fix coding errors before some hacker takes advantage of your mistakes and messes up your workday by compromising your systems and stealing your data.

Each chapter ends with a series of exercises to test your retention of what she explains and highlights some common misconceptions of the content. Some of them reflect her wicked sense of humor — such as 'how often should you authenticate to an SSO — only once, unless you have done a really bad job!'

And each section has an end-of-section summary about best practices. If many of them are unfamiliar to you, then take the time to read those chapters and take careful notes about how you can implement her suggestions. Indeed, a good way to browse this book is to carefully read these summaries and see if you need to bone on these techniques.

Like the first book in this series, I highly recommend this one for both beginners and experienced coders alike."
—DAVID STROM, freelance writer and author of two computer books thousands of magazine articles about technology

"Tanya ensures the book delivers exceptional value for software developers across experience levels, from students to seasoned engineers. Its methodical approach to secure coding fundamentals, combined with language-specific implementations, makes it particularly valuable for:

• Early-career developers building security-first practices
• Experienced engineers transitioning to security-focused roles
• Technical leads implementing secure development practices across teams

The book's greatest strength lies in bridging theoretical security concepts with practical development scenarios. While more comprehensive code examples would enhance its utility, the current content provides a solid foundation for secure coding practices. Highly recommended for software engineering teams and computer science programs looking to establish robust security mindsets."
—NIELET D'MELLO, Security Engineer

"Tanya's Alice and Bob Learn Secure Coding will give you a head start on learning about secure coding practices. It covers all the fundamentals a developer needs to know. Practicing the information in this book will allow you to start developing the experience needed to become a secure coder. I go over all this stuff with my devs."
—RAY LEBLANC, Application Security Architect & Engineer