{"product_id":"alice-and-bob-learn-application-security-isbn-9781119687351","title":"Alice and Bob Learn Application Security","description":"\u003cp\u003e\u003cb\u003eLearn application security from the very start, with this comprehensive and approachable guide!\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003e\u003ci\u003eAlice and Bob Learn Application Security\u003c\/i\u003e is an accessible and thorough resource for anyone seeking to incorporate, from the beginning of the System Development Life Cycle, best security practices in software development. This book covers all the basic subjects such as threat modeling and security testing, but also dives deep into more complex and advanced topics for securing modern software systems and architectures. Throughout, the book offers analogies, stories of the characters Alice and Bob, real-life examples, technical explanations and diagrams to ensure maximum clarity of the many abstract and complicated subjects.\u003c\/p\u003e \u003cp\u003eTopics include:\u003c\/p\u003e \u003cul\u003e \u003cli\u003eSecure requirements, design, coding, and deployment\u003c\/li\u003e \u003cli\u003eSecurity Testing (all forms)\u003c\/li\u003e \u003cli\u003eCommon Pitfalls\u003c\/li\u003e \u003cli\u003eApplication Security Programs\u003c\/li\u003e \u003cli\u003eSecuring Modern Applications\u003c\/li\u003e \u003cli\u003eSoftware Developer Security Hygiene\u003c\/li\u003e \u003c\/ul\u003e \u003cp\u003e\u003ci\u003eAlice and Bob Learn Application Security\u003c\/i\u003e is perfect for aspiring application security engineers and practicing software developers, as well as software project managers, penetration testers, and chief information security officers who seek to build or improve their application security programs.\u003c\/p\u003e \u003cp\u003e\u003ci\u003eAlice and Bob Learn Application Security\u003c\/i\u003e illustrates all the included concepts with easy-to-understand examples and concrete practical applications, furthering the reader's ability to grasp and retain the foundational and advanced topics contained within.\u003c\/p\u003e \u003cp\u003eForeword xxi\u003c\/p\u003e \u003cp\u003eIntroduction xxiii\u003c\/p\u003e \u003cp\u003e\u003cb\u003ePart I What You Must Know to Write Code Safe Enough to Put on the Internet 1\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003e\u003cb\u003eChapter 1 Security Fundamentals 3\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eThe Security Mandate: CIA 3\u003c\/p\u003e \u003cp\u003eConfidentiality 4\u003c\/p\u003e \u003cp\u003eIntegrity 5\u003c\/p\u003e \u003cp\u003eAvailability 5\u003c\/p\u003e \u003cp\u003eAssume Breach 7\u003c\/p\u003e \u003cp\u003eInsider Threats 8\u003c\/p\u003e \u003cp\u003eDefense in Depth 9\u003c\/p\u003e \u003cp\u003eLeast Privilege 11\u003c\/p\u003e \u003cp\u003eSupply Chain Security 11\u003c\/p\u003e \u003cp\u003eSecurity by Obscurity 13\u003c\/p\u003e \u003cp\u003eAttack Surface Reduction 14\u003c\/p\u003e \u003cp\u003eHard Coding 15\u003c\/p\u003e \u003cp\u003eNever Trust, Always Verify 15\u003c\/p\u003e \u003cp\u003eUsable Security 17\u003c\/p\u003e \u003cp\u003eFactors of Authentication 18\u003c\/p\u003e \u003cp\u003eExercises 20\u003c\/p\u003e \u003cp\u003e\u003cb\u003eChapter 2 Security Requirements 21\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eRequirements 22\u003c\/p\u003e \u003cp\u003eEncryption 23\u003c\/p\u003e \u003cp\u003eNever Trust System Input 24\u003c\/p\u003e \u003cp\u003eEncoding and Escaping 28\u003c\/p\u003e \u003cp\u003eThird-Party Components 29\u003c\/p\u003e \u003cp\u003eSecurity Headers: Seatbelts for Web Apps 31\u003c\/p\u003e \u003cp\u003eSecurity Headers in Action 32\u003c\/p\u003e \u003cp\u003eX-XSS-Protection 32\u003c\/p\u003e \u003cp\u003eContent-Security-Policy (CSP) 32\u003c\/p\u003e \u003cp\u003eX-Frame-Options 35\u003c\/p\u003e \u003cp\u003eX-Content-Type-Options 36\u003c\/p\u003e \u003cp\u003eReferrer-Policy 36\u003c\/p\u003e \u003cp\u003eStrict-Transport-Security (HSTS) 37\u003c\/p\u003e \u003cp\u003eFeature-Policy 38\u003c\/p\u003e \u003cp\u003eX-Permitted-Cross-Domain-Policies 39\u003c\/p\u003e \u003cp\u003eExpect-CT 39\u003c\/p\u003e \u003cp\u003ePublic Key Pinning Extension for HTTP (HPKP) 41\u003c\/p\u003e \u003cp\u003eSecuring Your Cookies 42\u003c\/p\u003e \u003cp\u003eThe Secure Flag 42\u003c\/p\u003e \u003cp\u003eThe HttpOnly Flag 42\u003c\/p\u003e \u003cp\u003ePersistence 43\u003c\/p\u003e \u003cp\u003eDomain 43\u003c\/p\u003e \u003cp\u003ePath 44\u003c\/p\u003e \u003cp\u003eSame-Site 44\u003c\/p\u003e \u003cp\u003eCookie Prefixes 45\u003c\/p\u003e \u003cp\u003eData Privacy 45\u003c\/p\u003e \u003cp\u003eData Classification 45\u003c\/p\u003e \u003cp\u003ePasswords, Storage, and Other Important Decisions 46\u003c\/p\u003e \u003cp\u003eHTTPS Everywhere 52\u003c\/p\u003e \u003cp\u003eTLS Settings 53\u003c\/p\u003e \u003cp\u003eComments 54\u003c\/p\u003e \u003cp\u003eBackup and Rollback 54\u003c\/p\u003e \u003cp\u003eFramework Security Features 54\u003c\/p\u003e \u003cp\u003eTechnical Debt = Security Debt 55\u003c\/p\u003e \u003cp\u003eFile Uploads 56\u003c\/p\u003e \u003cp\u003eErrors and Logging 57\u003c\/p\u003e \u003cp\u003eInput Validation and Sanitization 58\u003c\/p\u003e \u003cp\u003eAuthorization and Authentication 59\u003c\/p\u003e \u003cp\u003eParameterized Queries 59\u003c\/p\u003e \u003cp\u003eURL Parameters 60\u003c\/p\u003e \u003cp\u003eLeast Privilege 60\u003c\/p\u003e \u003cp\u003eRequirements Checklist 61\u003c\/p\u003e \u003cp\u003eExercises 63\u003c\/p\u003e \u003cp\u003e\u003cb\u003eChapter 3 Secure Design 65\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eDesign Flaw vs. Security Bug 66\u003c\/p\u003e \u003cp\u003eDiscovering a Flaw Late 67\u003c\/p\u003e \u003cp\u003ePushing Left 68\u003c\/p\u003e \u003cp\u003eSecure Design Concepts 68\u003c\/p\u003e \u003cp\u003eProtecting Sensitive Data 68\u003c\/p\u003e \u003cp\u003eNever Trust, Always Verify\/Zero Trust\/Assume Breach 70\u003c\/p\u003e \u003cp\u003eBackup and Rollback 71\u003c\/p\u003e \u003cp\u003eServer-Side Security Validation 73\u003c\/p\u003e \u003cp\u003eFramework Security Features 74\u003c\/p\u003e \u003cp\u003eSecurity Function Isolation 74\u003c\/p\u003e \u003cp\u003eApplication Partitioning 75\u003c\/p\u003e \u003cp\u003eSecret Management 76\u003c\/p\u003e \u003cp\u003eRe-authentication for Transactions (Avoiding CSRF) 76\u003c\/p\u003e \u003cp\u003eSegregation of Production Data 77\u003c\/p\u003e \u003cp\u003eProtection of Source Code 77\u003c\/p\u003e \u003cp\u003eThreat Modeling 78\u003c\/p\u003e \u003cp\u003eExercises 82\u003c\/p\u003e \u003cp\u003e\u003cb\u003eChapter 4 Secure Code 83\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eSelecting Your Framework and Programming Language 83\u003c\/p\u003e \u003cp\u003eExample #1 85\u003c\/p\u003e \u003cp\u003eExample #2 85\u003c\/p\u003e \u003cp\u003eExample #3 86\u003c\/p\u003e \u003cp\u003eProgramming Languages and Frameworks: The Rule 87\u003c\/p\u003e \u003cp\u003eUntrusted Data 87\u003c\/p\u003e \u003cp\u003eHTTP Verbs 89\u003c\/p\u003e \u003cp\u003eIdentity 90\u003c\/p\u003e \u003cp\u003eSession Management 91\u003c\/p\u003e \u003cp\u003eBounds Checking 93\u003c\/p\u003e \u003cp\u003eAuthentication (AuthN) 94\u003c\/p\u003e \u003cp\u003eAuthorization (AuthZ) 96\u003c\/p\u003e \u003cp\u003eError Handling, Logging, and Monitoring 99\u003c\/p\u003e \u003cp\u003eRules for Errors 100\u003c\/p\u003e \u003cp\u003eLogging 100\u003c\/p\u003e \u003cp\u003eMonitoring 101\u003c\/p\u003e \u003cp\u003eExercises 103\u003c\/p\u003e \u003cp\u003e\u003cb\u003eChapter 5 Common Pitfalls 105\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eOWASP 105\u003c\/p\u003e \u003cp\u003eDefenses and Vulnerabilities Not Previously Covered 109\u003c\/p\u003e \u003cp\u003eCross-Site Request Forgery 110\u003c\/p\u003e \u003cp\u003eServer-Side Request Forgery 112\u003c\/p\u003e \u003cp\u003eDeserialization 114\u003c\/p\u003e \u003cp\u003eRace Conditions 115\u003c\/p\u003e \u003cp\u003eClosing Comments 117\u003c\/p\u003e \u003cp\u003eExercises 117\u003c\/p\u003e \u003cp\u003e\u003cb\u003ePart II What You Should Do to Create Very Good Code 119\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003e\u003cb\u003eChapter 6 Testing and Deployment 121\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eTesting Your Code 121\u003c\/p\u003e \u003cp\u003eCode Review 122\u003c\/p\u003e \u003cp\u003eStatic Application Security Testing (SAST) 123\u003c\/p\u003e \u003cp\u003eSoftware Composition Analysis (SCA) 125\u003c\/p\u003e \u003cp\u003eUnit Tests 126\u003c\/p\u003e \u003cp\u003eInfrastructure as Code (IaC) and Security as Code (SaC) 128\u003c\/p\u003e \u003cp\u003eTesting Your Application 129\u003c\/p\u003e \u003cp\u003eManual Testing 130\u003c\/p\u003e \u003cp\u003eBrowsers 131\u003c\/p\u003e \u003cp\u003eDeveloper Tools 131\u003c\/p\u003e \u003cp\u003eWeb Proxies 132\u003c\/p\u003e \u003cp\u003eFuzzing 133\u003c\/p\u003e \u003cp\u003eDynamic Application Security Testing (DAST) 133\u003c\/p\u003e \u003cp\u003eVA\/Security Assessment\/PenTest 135\u003c\/p\u003e \u003cp\u003eTesting Your Infrastructure 141\u003c\/p\u003e \u003cp\u003eTesting Your Database 141\u003c\/p\u003e \u003cp\u003eTesting Your APIs and Web Services 142\u003c\/p\u003e \u003cp\u003eTesting Your Integrations 143\u003c\/p\u003e \u003cp\u003eTesting Your Network 144\u003c\/p\u003e \u003cp\u003eDeployment 145\u003c\/p\u003e \u003cp\u003eEditing Code Live on a Server 146\u003c\/p\u003e \u003cp\u003ePublishing from an IDE 146\u003c\/p\u003e \u003cp\u003e“Homemade” Deployment Systems 147\u003c\/p\u003e \u003cp\u003eRun Books 148\u003c\/p\u003e \u003cp\u003eContiguous Integration\/Continuous Delivery\/Continuous Deployment 148\u003c\/p\u003e \u003cp\u003eExercises 149\u003c\/p\u003e \u003cp\u003e\u003cb\u003eChapter 7 An AppSec Program 151\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eApplication Security Program Goals 152\u003c\/p\u003e \u003cp\u003eCreating and Maintaining an Application Inventory 153\u003c\/p\u003e \u003cp\u003eCapability to Find Vulnerabilities in Written, Running, and Third-Party Code 153\u003c\/p\u003e \u003cp\u003eKnowledge and Resources to Fix the Vulnerabilities 154\u003c\/p\u003e \u003cp\u003eEducation and Reference Materials 155\u003c\/p\u003e \u003cp\u003eProviding Developers with Security Tools 155\u003c\/p\u003e \u003cp\u003eHaving One or More Security Activities During Each Phase of Your SDLC 156\u003c\/p\u003e \u003cp\u003eImplementing Useful and Effective Tooling 157\u003c\/p\u003e \u003cp\u003eAn Incident Response Team That Knows When to Call You 157\u003c\/p\u003e \u003cp\u003eContinuously Improve Your Program Based on Metrics, Experimentation, and Feedback 159\u003c\/p\u003e \u003cp\u003eMetrics 159\u003c\/p\u003e \u003cp\u003eExperimentation 161\u003c\/p\u003e \u003cp\u003eFeedback from Any and All Stakeholders 161\u003c\/p\u003e \u003cp\u003eA Special Note on DevOps and Agile 162\u003c\/p\u003e \u003cp\u003eApplication Security Activities 162\u003c\/p\u003e \u003cp\u003eApplication Security Tools 164\u003c\/p\u003e \u003cp\u003e\u003ci\u003eYour \u003c\/i\u003eApplication Security Program 165\u003c\/p\u003e \u003cp\u003eExercises 166\u003c\/p\u003e \u003cp\u003e\u003cb\u003eChapter 8 Securing Modern Applications and Systems 167\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eAPIs and Microservices 168\u003c\/p\u003e \u003cp\u003eOnline Storage 171\u003c\/p\u003e \u003cp\u003eContainers and Orchestration 172\u003c\/p\u003e \u003cp\u003eServerless 174\u003c\/p\u003e \u003cp\u003eInfrastructure as Code (IaC) 175\u003c\/p\u003e \u003cp\u003eSecurity as Code (SaC) 177\u003c\/p\u003e \u003cp\u003ePlatform as a Service (PaaS) 178\u003c\/p\u003e \u003cp\u003eInfrastructure as a Service (IaaS) 179\u003c\/p\u003e \u003cp\u003eContinuous Integration\/Delivery\/Deployment 180\u003c\/p\u003e \u003cp\u003eDev(Sec)Ops 180\u003c\/p\u003e \u003cp\u003eDevSecOps 182\u003c\/p\u003e \u003cp\u003eThe Cloud 183\u003c\/p\u003e \u003cp\u003eCloud Computing 183\u003c\/p\u003e \u003cp\u003eCloud Native 184\u003c\/p\u003e \u003cp\u003eCloud Native Security 185\u003c\/p\u003e \u003cp\u003eCloud Workflows 185\u003c\/p\u003e \u003cp\u003eModern Tooling 186\u003c\/p\u003e \u003cp\u003eIAST Interactive Application Security Testing 186\u003c\/p\u003e \u003cp\u003eRuntime Application Security Protection 187\u003c\/p\u003e \u003cp\u003eFile Integrity Monitoring 187\u003c\/p\u003e \u003cp\u003eApplication Control Tools (Approved Software Lists) 187\u003c\/p\u003e \u003cp\u003eSecurity Tools Created for DevOps Pipelines 188\u003c\/p\u003e \u003cp\u003eApplication Inventory Tools 188\u003c\/p\u003e \u003cp\u003eLeast Privilege and Other Policy Automation 189\u003c\/p\u003e \u003cp\u003eModern Tactics 189\u003c\/p\u003e \u003cp\u003eSummary 191\u003c\/p\u003e \u003cp\u003eExercises 191\u003c\/p\u003e \u003cp\u003e\u003cb\u003ePart III Helpful Information on How to Continue to Create Very Good Code 193\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003e\u003cb\u003eChapter 9 Good Habits 195\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003ePassword Management 196\u003c\/p\u003e \u003cp\u003eRemove Password Complexity Rules 196\u003c\/p\u003e \u003cp\u003eUse a Password Manager 197\u003c\/p\u003e \u003cp\u003ePassphrases 198\u003c\/p\u003e \u003cp\u003eDon’t Reuse Passwords 198\u003c\/p\u003e \u003cp\u003eDo Not Implement Password Rotation 199\u003c\/p\u003e \u003cp\u003eMulti-Factor Authentication 199\u003c\/p\u003e \u003cp\u003eIncident Response 200\u003c\/p\u003e \u003cp\u003eFire Drills 201\u003c\/p\u003e \u003cp\u003eContinuous Scanning 202\u003c\/p\u003e \u003cp\u003eTechnical Debt 202\u003c\/p\u003e \u003cp\u003eInventory 203\u003c\/p\u003e \u003cp\u003eOther Good Habits 204\u003c\/p\u003e \u003cp\u003ePolicies 204\u003c\/p\u003e \u003cp\u003eDownloads and Devices 204\u003c\/p\u003e \u003cp\u003eLock Your Machine 204\u003c\/p\u003e \u003cp\u003ePrivacy 205\u003c\/p\u003e \u003cp\u003eSummary 206\u003c\/p\u003e \u003cp\u003eExercises 206\u003c\/p\u003e \u003cp\u003e\u003cb\u003eChapter 10 Continuous Learning 207\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eWhat to Learn 208\u003c\/p\u003e \u003cp\u003eOffensive = Defensive 208\u003c\/p\u003e \u003cp\u003eDon’t Forget Soft Skills 208\u003c\/p\u003e \u003cp\u003eLeadership != Management 209\u003c\/p\u003e \u003cp\u003eLearning Options 209\u003c\/p\u003e \u003cp\u003eAccountability 212\u003c\/p\u003e \u003cp\u003eCreate Your Plan 213\u003c\/p\u003e \u003cp\u003eTake Action 214\u003c\/p\u003e \u003cp\u003eExercises 214\u003c\/p\u003e \u003cp\u003eLearning Plan 216\u003c\/p\u003e \u003cp\u003e\u003cb\u003eChapter 11 Closing Thoughts 217\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eLingering Questions 218\u003c\/p\u003e \u003cp\u003eWhen Have You Done \u003ci\u003eEnough\u003c\/i\u003e? 218\u003c\/p\u003e \u003cp\u003eHow Do You Get Management on Board? 220\u003c\/p\u003e \u003cp\u003eHow Do You Get Developers on Board? 221\u003c\/p\u003e \u003cp\u003eWhere Do You Start? 222\u003c\/p\u003e \u003cp\u003eWhere Do You Get Help? 223\u003c\/p\u003e \u003cp\u003eConclusion 223\u003c\/p\u003e \u003cp\u003e\u003cb\u003eAppendix A Resources 225\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eIntroduction 225\u003c\/p\u003e \u003cp\u003eChapter 1: Security Fundamentals 225\u003c\/p\u003e \u003cp\u003eChapter 2: Security Requirements 226\u003c\/p\u003e \u003cp\u003eChapter 3: Secure Design 227\u003c\/p\u003e \u003cp\u003eChapter 4: Secure Code 228\u003c\/p\u003e \u003cp\u003eChapter 5: Common Pitfalls 228\u003c\/p\u003e \u003cp\u003eChapter 6: Testing and Deployment 229\u003c\/p\u003e \u003cp\u003eChapter 7: An AppSec Program 229\u003c\/p\u003e \u003cp\u003eChapter 8: Securing Modern Applications and Systems 230\u003c\/p\u003e \u003cp\u003eChapter 9: Good Habits 231\u003c\/p\u003e \u003cp\u003eChapter 10: Continuous Learning 231\u003c\/p\u003e \u003cp\u003e\u003cb\u003eAppendix B Answer Key 233\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eChapter 1: Security Fundamentals 233\u003c\/p\u003e \u003cp\u003eChapter 2: Security Requirements 235\u003c\/p\u003e \u003cp\u003eChapter 3: Secure Design 236\u003c\/p\u003e \u003cp\u003eChapter 4: Secure Code 238\u003c\/p\u003e \u003cp\u003eChapter 5: Common Pitfalls 241\u003c\/p\u003e \u003cp\u003eChapter 6: Testing and Deployment 242\u003c\/p\u003e \u003cp\u003eChapter 7: An AppSec Program 244\u003c\/p\u003e \u003cp\u003eChapter 8: Securing Modern Applications and Systems 245\u003c\/p\u003e \u003cp\u003eChapter 9: Good Habits 247\u003c\/p\u003e \u003cp\u003eChapter 10: Continuous Learning 248\u003c\/p\u003e \u003cp\u003eIndex 249\u003c\/p\u003e \u003cp\u003e\u003cb\u003eTanya Janca,\u003c\/b\u003e also known as SheHacksPurple, is the founder of We Hack Purple, an online learning academy dedicated to teaching everyone how to create secure software. With over twenty years of IT and coding experience, she has won numerous awards and worked as a developer, pentester, and AppSec Engineer. She was named Hacker of the Year by the Cybersecurity Woman of the Year 2019 Awards and is the Founder of WoSEC International, #CyberMentoringMonday, and OWASP DevSlop.\u003c\/p\u003e  \u003cp\u003e\u003cb\u003eA TRIED-AND-TESTED APPROACH TO BUILDING SECURITY INTO PROJECTS FROM THE START\u003c\/b\u003e \u003c\/p\u003e\u003cp\u003eDo you have difficulty implementing application security into your software development process? \u003ci\u003eAlice and Bob Learn Application Security\u003c\/i\u003e shows readers how to \"push left\" in software, by building security considerations into their system development life cycle, right from the start. \u003c\/p\u003e\u003cp\u003eYou'll learn basic security fundamentals and requirements, as well as secure design concepts, all while benefiting from the code, exercises, and examples interspersed throughout the text. \u003c\/p\u003e\u003cp\u003eWritten by one of the leading voices in the application security field, the book includes answers to the most common questions people starting out in application security often have. It also includes valuable additional resources where readers can find more answers. \u003c\/p\u003e\u003cp\u003eThe core security concepts are illustrated through references to the personas of Alice and Bob and how their professional lives and businesses drive application security decisions. The book takes a pleasantly straightforward approach that's heavy on practical strategies and light on needless jargon or complexity. At the same time, it supplies the rigor or richness you would expect to find in a leading resource on the topic of application security. \u003c\/p\u003e\u003cp\u003eThe book is perfect for current and aspiring software and application developers. It also belongs on the bookshelves of software project managers, Chief Information Security Officers, and penetration testers who seek to improve their craft and their ability to deliver valuable results. \u003c\/p\u003e\u003cp\u003e\u003ci\u003eAlice and Bob Learn Application Security\u003c\/i\u003e will teach you everything you need to know about: \u003c\/p\u003e\u003cul\u003e \u003cli\u003e\u003cb\u003eSecurity fundamentals and requirements\u003c\/b\u003e\u003c\/li\u003e \u003cli\u003e\u003cb\u003eSecure design concepts\u003c\/b\u003e\u003c\/li\u003e \u003cli\u003e\u003cb\u003eSecure coding (with guidelines)\u003c\/b\u003e\u003c\/li\u003e \u003cli\u003e\u003cb\u003eThe basics of threat modelling and security testing\u003c\/b\u003e\u003c\/li\u003e \u003cli\u003e\u003cb\u003eHow to build an AppSec program\u003c\/b\u003e\u003c\/li\u003e \u003cli\u003e\u003cb\u003eModern application security concerns and defenses\u003c\/b\u003e\u003c\/li\u003e \u003cli\u003e\u003cb\u003eHow to implement security hygiene protocols for developers and IT staff\u003c\/b\u003e\u003c\/li\u003e \u003c\/ul\u003e  \u003cp\u003e“Tanya knows her stuff. She has a huge depth of experience and expertise in application security, DevSecOps, and cloud security. We can all learn a ton of stuff from Tanya, so you should read her book!”\u003c\/p\u003e \u003cp\u003e-\u003cb\u003eDafydd Stuttard\u003c\/b\u003e, best-selling co-author of \u003ci\u003eThe Web Application Hacker's Handbook\u003c\/i\u003e, creator of Burp Suite\u003c\/p\u003e \u003cp\u003e \u003c\/p\u003e \u003cp\u003e“I learned so much from this book!  Information security is truly everyone's job — this book is a fantastic overview of the vast knowledge needed by everyone, from developer, infrastructure, security professionals, and so much more.  Kudos to Ms. Janca for writing such an educational and practical primer.  I loved the realistic stories that frame real-world problems, spanning everything from design, migrating applications from problematic frameworks, mitigating admin risks, and things that every modern developer needs to know.”\u003c\/p\u003e \u003cp\u003e-\u003ci\u003eGene Kim\u003c\/i\u003e, bestselling author of \u003ci\u003eThe Unicorn Project\u003c\/i\u003e, co-author of \u003ci\u003eThe Phoenix Project\u003c\/i\u003e, \u003ci\u003eDevOps Handbook\u003c\/i\u003e, \u003ci\u003eAccelerate\u003c\/i\u003e\u003c\/p\u003e \u003cp\u003e \u003c\/p\u003e \u003cp\u003e“Practical guidance for the modern era; Tanya does a great job of communicating current day thinking around AppSec in terms we can all relate to.”\u003c\/p\u003e \u003cp\u003e-Troy Hunt, creator of  \"Have I Been Pwned\"\u003c\/p\u003e","brand":"Wiley","offers":[{"title":"Default Title","offer_id":47988713947365,"sku":"NP9781119687351","price":52.0,"currency_code":"USD","in_stock":false}],"thumbnail_url":"\/\/cdn.shopify.com\/s\/files\/1\/1842\/7735\/files\/9781119687351.jpg?v=1761781299","url":"https:\/\/k12savings.com\/es\/products\/alice-and-bob-learn-application-security-isbn-9781119687351","provider":"K12savings","version":"1.0","type":"link"}