وبلاگ بلیان

Secure Web Application Development : A Hands-On Guide with Python and Django

معرفی کتاب «Secure Web Application Development : A Hands-On Guide with Python and Django» نوشتهٔ Matthew Baker، منتشرشده توسط نشر Apress L. P.; Apress در سال 2022. این کتاب در 500 صفحه، فرمت pdf، زبان انگلیسی ارائه شده است. «Secure Web Application Development : A Hands-On Guide with Python and Django» در دستهٔ برنامه‌نویسی قرار دارد.

Cyberattacks are becoming more commonplace and the Open Web Application Security Project (OWASP), estimates 94% of sites have flaws in their access control alone. Attacks evolve to work around new defenses, and defenses must evolve to remain effective. Developers need to understand the fundamentals of attacks and defenses in order to comprehend new techniques as they become available. This book teaches you how to write secure web applications. The focus is highlighting how hackers attack applications along with a broad arsenal of defenses. This will enable you to pick appropriate techniques to close vulnerabilities while still providing users with their needed functionality. Topics covered include: A framework for deciding what needs to be protected and how strongly Configuring services such as databases and web servers Safe use of HTTP methods such as GET, POST, etc, cookies and use of HTTPS Safe REST APIs Server-side attacks and defenses such as injection and cross-site scripting Client-side attacks and defenses such as cross-site request forgery Security techniques such as CORS, CSP Password management, authentication and authorization, including OAuth2 Best practices for dangerous operations such as password change and reset Use of third-party components and supply chain security (Git, CI/CD etc) What You'll Learn Review the defenses that can used to prevent attacks Model risks to better understand what to defend and how Choose appropriate techniques to defend against attacks Implement defenses in Python/Django applications Who This Book Is For Developers who already know how to build web applications but need to know more about security Non-professional software engineers, such as scientists, who must develop web tools and want to make their algorithms available to a wider audience. Engineers and managers who are responsible for their product/company technical security policy Table of Contents About the Author About the Technical Reviewer Acknowledgments Chapter 1: Introduction 1.1 About This Book 1.2 Who This Book Is For 1.3 Types of Attack Server-Side Attacks Client-Side Attacks 1.4 Defense in Depth 1.5 Conventions Used in This Book 1.6 How This Book Is Organized Chapter 2: The Hands-On Environment 2.1 Introducing the Hands-On Environment 2.2 Installing a Virtualization Back End (Mac with M1) Install Docker Desktop Install Xcode and Docker Mac Net Connect 2.3 Installing a Virtualization Back End (All Other Platforms) Install VirtualBox 2.4 Install Other Dependencies (All Platforms) Install Vagrant Install Web Browsers Install HTTP Toolkit Install Windows Terminal (Optional) Install a Text Editor (Optional) 2.5 Downloading and Building the VMs Running Applications in Vagrant Building the Vagrant VM 2.6 Directory Structure 2.7 Using the Hands-On Environment Using the Vagrant VMs The Web Server The Database MailCatcher Changing the Code Starting from Scratch 2.8 The Linux Command Line Command-Line Input Navigating the Filesystem Linux Permissions Set UserID and GroupID Flags Permissions in Vagrant Becoming a Different User Environment Variables Text Editors Starting and Stopping Processes Clearing the Terminal Exiting Bash 2.9 Summary Chapter 3: Threat Modelling 3.1 What Is Threat Modelling? 3.2 Asset-Based Threat Modelling Assets Threats Threat Actors 3.3 STRIDE 3.4 Data-Flow Threat Modelling Data-Flow Diagrams Trust Boundaries 3.5 Responding to Threats 3.6 Attack Vectors 3.7 Attack Surfaces 3.8 Summary Chapter 4: Transport and Encryption 4.1 The Hypertext Transfer Protocol Requests and Responses Request Methods Response Codes 4.2 Symmetric and Public Key Cryptography Types of Encryption Symmetric-Key Algorithms Public-Key Encryption Algorithms Hashing Base64 Encoding Digital Signatures Key Exchange 4.3 Authentication and Certificates Proving Authenticity Types of Certificates Popular Authentication Authorities 4.4 HTTPS TLS Version 1.2 Perfect Forward Secrecy TLS Version 1.3 4.5 Summary Chapter 5: Installing and Configuring Services 5.1 Designing the Service Architecture 5.2 Web Application Frameworks 5.3 Man-in-the-Middle Attacks Defending Against Man-in-the-Middle Attacks Session Hijacking Attacks 5.4 Denial-of-Service Attacks The Slowloris Attack Consuming Back-End Resources 5.5 Setting Up HTTPS HTTPS with Let’s Encrypt Creating a Self-Signed Certificate Browser Requirements for Self-Signed Certificates Permanent Redirects 5.6 Reverse Proxies and Tunnels Reverse Proxies SSH Tunnels 5.7 Server Configuration Hiding Service Details Host Firewalls TCP Wrappers Using a Host Firewall and TCP Wrappers Together Hiding Errors Custom 404 and 500 Pages Default Passwords 5.8 Database Configuration Database Password Management Access to the Database Host and Port Postgres Configuration Web-Based Administration Consoles 5.9 Securing the Filesystem The Web Server’s Public Path Code Directories Upload Directories Django Static Directories Secrets 5.10 Summary Chapter 6: APIs and Endpoints 6.1 URLs 6.2 REST APIs GET Requests POST Requests PUT Requests PATCH Requests DELETE Requests REST APIs in Django 6.3 Unit Testing Permissions 6.4 Deserialization Attacks XML Attacks Function Calls and Creation Defending Against Deserialization Attacks 6.5 Summary Chapter 7: Cookies and User Input 7.1 Types of User Input 7.2 Cookies The Expires and Max-Age Attributes Domain and Path The Secure and HttpOnly Attributes The SameSite Cookie Setting Session ID Cookies Session IDs and the SameSite Setting 7.3 Injection Attacks 7.4 SQL Injection Schema Discovery Finding SQL Injection Vulnerabilities Defending Against SQL Injection 7.5 Command Injection Back Doors Defending Against Command Injection Combining SQL and Command Injection 7.6 Server-Side Request Forgery Defending Against Server-Side Request Forgery 7.7 Cross-Site Scripting (XSS) Reflected XSS Stored XSS DOM-Based XSS Defending Against Cross-Site Scripting HTML Injection 7.8 Content Sniffing 7.9 Summary Chapter 8: Cross-Site Requests 8.1 Cross-Origin Resource Sharing (CORS) CORS and Credentials Setting CORS Headers 8.2 Cross-Site Request Forgery (CSRF) CSRF Tokens CSRF Tokens in Django CSRF Attacks CSRF and CORS CSRF and Cookie Security CSRF Summary 8.3 Clickjacking and Frame Security 8.4 Content Security Policy (CSP) Inline Scripts and Styles CSP Reporting CSP in Django Nonces in Django 8.5 Subresource Integrity (SRI) 8.6 Summary Chapter 9: Password Management 9.1 Storing Passwords Brute-Force Attacks Rainbow Table Attacks Salted Hashes HMAC and PBKDF2 Password Security 9.2 Password Policies 9.3 Password Reset Password Reset in Django 9.4 Passwords and Source Code Control 9.5 Summary Chapter 10: Authentication and Authorization 10.1 Authentication vs. Authorization 10.2 Username and Password Authentication HTTP Authentication Basic Authentication Digest Authentication Limitations of HTTP Authentication Form-Based Authentication Form-Based Authentication in Django Adding Authentication to URLs in Django Disadvantages of Form-Based Authentication 10.3 One-Time Passwords HMAC-Based One-Time Passwords Time-Based One-Time Passwords Sending OTPs via SMS Google Authenticator Installing the Secret Key 10.4 Authentication with Public-Key Cryptography Registration Authentication 10.5 Biometric Authentication Biometric Authentication with WebAuthn 10.6 Role-Based Authorization Role-Based Authorization in Django Using Django Permissions 10.7 JSON Web Tokens (JWTs) Storing and Transmitting JWTs Revoking JWTs 10.8 API Keys Sending API Keys API Keys in Django 10.9 Summary Chapter 11: OAuth2 11.1 OAuth2 Terminology 11.2 Authorization Code Flow Attacks Prevented by the Authorization Code Flow Omitting the Authorization Code Authorization Code Redirect URI Manipulation Cross-Site Request Forgery Other Attacks Authorization Code Flow in Django 11.3 Implicit Flow 11.4 Authorization Code with PKCE Flow 11.5 Password Flow 11.6 Client Credentials Flow 11.7 Device Flow 11.8 Refresh Token Flow 11.9 OpenID Connect OIDC Authorization Code Flow OIDC in Django 11.10 Summary Chapter 12: Logging and Monitoring 12.1 Logging, Aggregating, and Analytics 12.2 The ELK Stack Loading Log Files with Logstash 12.3 Creating Custom Log Files 12.4 Creating Alerts for Security Events 12.5 Summary Chapter 13: Third-Party and Supply Chain Security 13.1 Staff Member Security OSINT Threats to Staff Members Example 1 Example 2 Example 3 Defenses Against OSINT Attacks 13.2 Third-Party Code Back-End Dependencies Front-End Dependencies 13.3 Supply Chain Security The in-toto Framework Using SLSA and in-toto 13.4 Summary Chapter 14: Further Resources 14.1 Vulnerability Databases 14.2 News and Alerts Sites 14.3 The OWASP Top Ten Broken Access Control Cryptographic Failures Injection Insecure Design Security Misconfiguration Vulnerable and Outdated Components Identification and Authentication Failures Software and Data Integrity Failures Security Logging and Monitoring Failures Server-Side Request Forgery 14.4 Summary Bibliography Index Cyberattacks are becoming more commonplace and the Open Web Application Security Project (OWASP), estimates 94% of sites have flaws in their access control alone. Attacks evolve to work around new defenses, and defenses must evolve to remain effective. Developers need to understand the fundamentals of attacks and defenses in order to comprehend new techniques as they become available. This book uses a hand-on approach to teach you how to write secure web applications and will highlight how hackers attack applications along with a broad arsenal of defenses. You'll see how to Implement the right defenses in Python/Django applications to prevent such attacks. Secure Web Application Development is your guide to picking the appropriate techniques to close vulnerabilities and ensuring you still provide users with their needed functionality. You will: Understand common coding vulnerabilities and how to avoid them Configure services, such as databases and web servers, to minimize the risk of attack Implement secure methods for password management, authentication, and authorization Safely manage requests to and from external web sites Establish a framework for modelling and assessing risks
دانلود کتاب Secure Web Application Development : A Hands-On Guide with Python and Django