did-you-know? rent-now

Amazon no longer offers textbook rentals. We do!

did-you-know? rent-now

Amazon no longer offers textbook rentals. We do!

We're the #1 textbook rental company. Let us show you why.

9781590597842

Foundations of Security : What Every Programmer Needs to Know

by
  • ISBN13:

    9781590597842

  • ISBN10:

    1590597842

  • Format: Paperback
  • Copyright: 2007-02-21
  • Publisher: Apress

Note: Supplemental materials are not guaranteed with Rental or Used book purchases.

Purchase Benefits

  • Free Shipping Icon Free Shipping On Orders Over $35!
    Your order must be $35 or more to qualify for free economy shipping. Bulk sales, PO's, Marketplace items, eBooks and apparel do not qualify for this offer.
  • eCampus.com Logo Get Rewarded for Ordering Your Textbooks! Enroll Now
  • Write a Review Icon Write a Review
List Price: $66.56 Save up to $42.93
  • Rent Book $40.94
    Add to Cart Free Shipping Icon Free Shipping

    TERM
    PRICE
    DUE
    USUALLY SHIPS IN 24-48 HOURS
    *This item is part of an exclusive publisher rental program and requires an additional convenience fee. This fee will be reflected in the shopping cart.

Supplemental Materials

What is included with this book?

Summary

Information Technology is for everyone, not just geeks. But that means security is everyone's business, as you will discover in the pages of this excellent book! #8212 Vinton G. Cerf - a Founding Father of the InternetThis book serves as a great complement to the courses that make up the Stanford Center for Professional Development (SCPD) Security Certification Program. The book explains in detail how to defend against a wide range of attacks, and teaches principles of secure system design. #8212 Dr. Dan Boneh, Associate Professor, Computer Science and Electrical Engineering, Stanford UniversityFoundations of Security: What Every Programmer Needs to Knowteaches new and current software professionals state-of-the-art software security design principles, methodology, and concrete programming techniques they need to build secure software systems. Once youre enabled with the techniques covered in this book, you can start to alleviate some of the inherent vulnerabilities that make todays software so susceptible to attack. The book uses web servers and web applications as running examples throughout the book.For the past few years, the Internet has had a "wild, wild west" flavor to it. Credit card numbers are stolen in massive numbers. Commercial web sites have been shut down by Internet worms. Poor privacy practices come to light and cause great embarrassment to the corporations behind them. All these security-related issues contribute at least to a lack of trust and loss of goodwill. Often there is a monetary cost as well, as companies scramble to clean up the mess when they get spotlighted by poor security practices.It takes time to build trust with users, and trust is hard to win back. Security vulnerabilities get in the way of that trust.Foundations of Security: What Every Programmer Needs To Knowhelps you manage risk due to insecure code and build trust with users by showing how to write code to prevent, detect, and contain attacks. The lead author cofounded the Stanford Center for Professional Development Computer Security Certification. This book teaches you how to be more vigilant and develop a sixth sense for identifying and eliminating potential security vulnerabilities. Youll receive hands-on code examples for a deep and practical understanding of security. Youll learn enough about security to get the job done.

Table of Contents

Forewordp. xv
About the Authorsp. xvii
About the Technical Reviewerp. xix
Acknowledgmentsp. xxi
Prefacep. xxiii
Security Design Principles
Security Goalsp. 3
Security Is Holisticp. 3
Physical Securityp. 4
Technological Securityp. 4
Policies and Proceduresp. 6
Authenticationp. 7
Something You Knowp. 7
Something You Havep. 8
Something You Arep. 10
Final Notes on Authenticationp. 11
Authorizationp. 12
Access Control Lists (ACLs)p. 13
Access Control Modelsp. 14
The Bell-LaPadula Modelp. 15
Confidentialityp. 17
Message/Data Integrityp. 18
Accountabilityp. 19
Availabilityp. 20
Non-repudiationp. 21
Concepts at Workp. 22
Secure Systems Designp. 25
Understanding Threatsp. 25
Defacementp. 26
Infiltrationp. 26
Phishingp. 27
Pharmingp. 28
Insider Threatsp. 28
Click Fraudp. 29
Denial-of-Service (DoS)p. 29
Data Theft and Data Lossp. 30
Designing-In Securityp. 30
Windows 98p. 31
The Internetp. 31
Turtle Shell Architecturesp. 34
Convenience and Securityp. 35
SimpleWebServer Code Examplep. 35
Hypertext Transfer Protocol (HTTP)p. 35
Code Walkthroughp. 36
Security in Software Requirementsp. 44
Specifying Error Handling Requirementsp. 44
Sharing Requirements with Quality Assurance (QA)p. 46
Handling Internal Errors Securelyp. 47
Including Validation and Fraud Checksp. 48
Writing Measurable Security Requirementsp. 50
Security or Bustp. 50
Security by Obscurityp. 51
Flaws in the Approachp. 51
SimpleWebServer Obscurityp. 52
Things to Avoidp. 55
Open vs. Closed Sourcep. 57
A Game of Economicsp. 58
"Good Enough" Securityp. 59
Secure Design Principlesp. 61
The Principle of Least Privilegep. 61
Defense-in-Depthp. 63
Prevent, Detect, Contain, and Recoverp. 63
Don't Forget Containment and Recoveryp. 64
Password Security Examplep. 65
Diversity-in-Defensep. 65
Securing the Weakest Linkp. 66
Weak Passwordsp. 66
Peoplep. 66
Implementation Vulnerabilitiesp. 67
Fail-Safe Stancep. 67
SimpleWebServer Fail-Safe Examplep. 67
Attempted Fix 1: Checking the File Lengthp. 69
Attempted Fix 2: Don't Store the File in Memoryp. 69
Fix: Don't Store the File in Memory, and Impose a Download Limitp. 70
Secure by Defaultp. 71
Simplicityp. 72
Usabilityp. 73
Security Features Do Not Imply Securityp. 74
Exercises for Part 1p. 77
Secure Programming Techniques
Worms and Other Malwarep. 83
What Is a Worm?p. 83
An Abridged History of Wormsp. 84
The Morris Worm: What It Didp. 84
The Morris Worm: What We Learnedp. 85
The Creation of CERTp. 86
The Code Red Wormp. 86
The Nimda Wormp. 87
The Blaster and SQL Slammer Wormsp. 87
More Malwarep. 89
Buffer Overflowsp. 93
Anatomy of a Buffer Overflowp. 93
A Small Examplep. 94
A More Detailed Examplep. 94
The safe_gets() Functionp. 98
Safe String Librariesp. 100
Additional Approachesp. 101
StackGuardp. 101
Static Analysis Toolsp. 102
Performancep. 103
Heap-Based Overflowsp. 103
Other Memory Corruption Vulnerabilitiesp. 103
Format String Vulnerabilitiesp. 104
Integer Overflowsp. 104
Client-State Manipulationp. 107
Pizza Delivery Web Site Examplep. 108
Attack Scenariop. 110
Solution 1: Authoritative State Stays at Serverp. 112
Solution 2: Signed State Sent to Clientp. 114
Using HTTP POST Instead of GETp. 117
Cookiesp. 119
JavaScriptp. 121
SQL Injectionp. 123
Attack Scenariop. 124
Solutionsp. 130
Why Blacklisting Does Not Workp. 130
Whitelisting-Based Input Validationp. 132
Escapingp. 132
Second Order SQL Injectionp. 133
Prepared Statements and Bind Variablesp. 134
Mitigating the Impact of SQL Injection Attacksp. 136
Password Securityp. 139
A Strawman Proposalp. 139
Hashingp. 141
Offline Dictionary Attacksp. 143
Saltingp. 144
Online Dictionary Attacksp. 150
Additional Password Security Techniquesp. 151
Strong Passwordsp. 151
"Honeypot" Passwordsp. 151
Password Filteringp. 151
Aging Passwordsp. 152
Pronounceable Passwordsp. 152
Limited Login Attemptsp. 152
Artificial Delaysp. 152
Last Loginp. 153
Image Authenticationp. 153
One-Time Passwordsp. 154
Cross-Domain Security in Web Applicationsp. 155
Interaction Between Web Pages from Different Domainsp. 156
HTML, JavaScript, and the Same-Origin Policyp. 156
Possible Interactions of Documents from Different Originsp. 157
HTTP Request Authenticationp. 159
Lifetime of Cached Cookies and HTTP Authentication Credentialsp. 160
Attack Patternsp. 161
Cross-Site Request Forgery (XSRF)p. 162
Cross-Site Script Inclusion (XSSI)p. 164
Cross-Site Scripting (XSS)p. 165
Preventing XSRFp. 169
Inspecting Referer Headersp. 170
Validation via User-Provided Secretp. 170
Validation via Action Tokenp. 171
Security Analysis of the Action Token Schemep. 173
Preventing XSSIp. 176
Authentication via Action Tokenp. 176
Restriction to POST Requestsp. 177
Preventing Resource Access for Cost Reasonsp. 177
Preventing XSSp. 178
General Considerationsp. 179
Simple Textp. 180
Tag Attributes (e.g., Form Field Value Attributes)p. 181
URL Attributes (href and src)p. 183
Style Attributesp. 185
Within Style Tagsp. 186
In JavaScript Contextp. 186
JavaScript-Valued Attributesp. 189
Redirects, Cookies, and Header Injectionp. 190
Filters for "Safe" Subsets of HTMLp. 191
Unspecified Charsets, Browser-Side Charset Guessing, and UTF-7 XSS Attacksp. 192
Non-HTML Documents and Internet Explorer Content-Type Sniffingp. 193
Mitigating the Impact of XSS Attacksp. 194
Exercises for Part 2p. 197
Introduction to Cryptography
Symmetric Key Cryptographyp. 203
Introduction to Encryptionp. 204
Substitution Ciphersp. 204
Notation and Terminologyp. 205
Block Ciphersp. 205
Security by Obscurity: Recapp. 208
Encrypting More Datap. 208
AES Code Examplep. 210
Stream Ciphersp. 217
One-Time Padp. 217
RC4p. 217
Steganographyp. 219
What Is Steganography?p. 219
Steganography vs. Cryptographyp. 220
Asymmetric Key Cryptographyp. 221
Why Asymmetric Key Cryptography?p. 221
RSAp. 223
Elliptic Curve Cryptography (ECC)p. 223
Symmetric vs. Asymmetric Key Cryptographyp. 224
Certificate Authoritiesp. 224
Identity-Based Encryption (IBE)p. 225
Authentication with Encryptionp. 225
Key Management and Exchangep. 227
Types of Keysp. 227
Identity Keysp. 227
Conversation or Session Keysp. 227
Integrity Keysp. 228
Key Generationp. 228
Random Number Generationp. 229
The rand() functionp. 230
Random Device Filesp. 230
Random APIsp. 231
Key (Secret) Storagep. 231
Keys in Source Codep. 231
Storing the Key in a File on Diskp. 233
"Hard to Reach" Placesp. 233
Storing Secrets in External Devicesp. 233
Key Agreement and Exchangep. 235
Using Asymmetric Keysp. 236
Diffie-Hellman (DH)p. 236
MACs and Signaturesp. 239
Secure Hash Functionsp. 239
Message Authentication Codes (MACs)p. 240
CBC MACsp. 240
HMACp. 241
Signaturesp. 242
Certificates and Certificate Authorities (CAs)p. 243
Signing and Verifyingp. 246
Registration Authorities (RAs)p. 246
Web of Trustp. 247
Attacks Against Hash Functionsp. 247
SSLp. 247
Server-Authenticated-Onlyp. 248
Mutual Authenticationp. 249
Exercises for Part 3p. 251
Appendixes
Defense-in-Depth: The FLI Modelp. 255
Protecting Against Failurep. 256
Protecting Against Liesp. 257
Protecting Against Infiltrationp. 257
Other Techniquesp. 258
Using an FLI-like Modelp. 258
Referencesp. 258
Source Code Listingsp. 261
Referencesp. 267
Indexp. 277
Table of Contents provided by Ingram. All Rights Reserved.

Supplemental Materials

What is included with this book?

The New copy of this book will include any supplemental materials advertised. Please check the title of the book to determine if it should include any access cards, study guides, lab manuals, CDs, etc.

The Used, Rental and eBook copies of this book are not guaranteed to include any supplemental materials. Typically, only the book itself is included. This is true even if the title states it includes any access cards, study guides, lab manuals, CDs, etc.

Rewards Program