Developer's Guide to Web Application Security
Over 75% of network attacks are targeted at the web application layer. This book provides explicit hacks, tutorials, penetration tests, and step-by-step demonstrations for security professionals and Web application developers to defend their most vulnerable applications.
This book defines Web application security, why it should be addressed earlier in the lifecycle in development and quality assurance, and how it differs from other types of Internet security. Additionally, the book examines the procedures and technologies that are essential to developing, penetration testing and releasing a secure Web application. Through a review of recent Web application breaches, the book will expose the prolific methods hackers use to execute Web attacks using common vulnerabilities such as SQL Injection, Cross-Site Scripting and Buffer Overflows in the application layer. By taking an in-depth look at the techniques hackers use to exploit Web applications, readers will be better equipped to protect confidential.
Review By: Laura M. Hagar
04/07/2008My perspective is from CM/QA background and I'm grateful for the many references presented throughout the book that deal with configuration management, inspections, peer reviews, and coding standards. I was able to immediately use the information in the book in my line of work and have already recommended this book to developers and security professionals.
The author's message is clear, concise, and appropriate. Web application security is going to be a hot topic for at least three to five more years, yet security plans are most frequently left out in a project. To this, the author briefly describes why and how to produce a security plan, including who is responsible for the plan.
His message is easy to understand and he provides sound advice; the information is presented well to prove his points. It’s also as comprehensive as possible given the complexity of the material. There are fast-track solutions throughout the book, which are really helpful. I really enjoyed the points he makes at the ends of each chapter, which are short but can easily be dropped into a report to management.
This book is suited for both novices (to learn and change bad habits) and experts (as a reference and to mentor others), but is ideal for Web security professionals. I strongly encourage application developers, security professionals, and configuration management and QA personnel to read this book. Managers should also give it a skim to gain some insight into Web application security.
This book is a perfect companion to James Whittaker's book titled "How to Break Web Software," as well as Herb Thompson and Scott Chase's "The Software Vulnerability Guide."