Introduction

While you might be tempted just to skip to a particular chapter that interests you—say, Chapter 3, which deals with authentication, or Chapter 7, which deals with database security—you’ll probably be better served by starting at the front and reading through to the end. Our primary goal here is not to “give you a fish” by simply showing you security vulnerabilities, but rather to “teach you to fish” by discussing universal security principles. You should be able to take the same concepts you’ll learn in Chapter 4 on authorization and session management and apply them to the browser security issues found in Chapter 6. So again, please resist the temptation to skip around, at least on your first pass through.

We’ve divided this book into three sections. The first two chapters present a primer on both web application security concepts and software security concepts in general. If you’ve always wondered about how hackers break into web sites—or struggled to convince your boss to fund some security initiatives—then you’ll find what you’re looking for here. The second section, comprising six chapters and the majority of the content of the book, deals with principles of securing common areas of functionality of web applications. We’ll show the best ways to defend the integrity of your databases, file systems, user accounts, and many other important resources. Finally, the third section shows the most effective ways to put all the concepts you’ve learned into action by laying out some secure development and deployment methodologies.

There’s an old joke about two hikers walking through the woods when they stumble upon a bear. They immediately take off running, and the first hiker says to the other, “Do you think we can actually outrun this bear?” The second hiker replies, “I don’t have to outrun the bear, I only have to outrun you!” There are a lot of organizations that embrace this as their security philosophy: their only goal is to be a little more secure than their competitors so that the hackers go after the other guy instead of them. We couldn’t disagree with this stance more. We think a better philosophy is that “a rising tide lifts all ships.” The more everyone learns about security and the more all applications are made more resilient against attack, the more trustworthy the Web will become and the more interesting things we’ll be able to do with it. We hope that this book brings us a little closer to that vision. Thanks for reading.

About the Series

We worked with the publisher to develop several special editorial elements for this series, which we hope you’ll find helpful while navigating the book—and furthering your career.

Lingo

The Lingo boxes are designed to help you familiarize yourself with common security terminology so that you’re never held back by an unfamiliar word or expression.

IMHO

(In My Humble Opinion). When you come across an IMHO, you’ll be reading our frank, personal opinions based on our experiences in the security industry.

Budget Note

The Budget Notes are designed to help increase your ease while discussing security budget needs within your organization, and provide tips and ideas for initiating successful, informed conversations about budgets.

In Actual Practice

Theory might teach us smart tactics for business, but there are in-the-trenches exceptions to every rule. The In Actual Practice feature highlights how things actually get done in the real world at times—exceptions to the rule—and why.

Your Plan

The Your Plan feature offers strategic ideas that can be helpful to review as you get into planning mode, as you refine a plan outline, and as you prepare to embark on a final course of action.

Into Action

The Into Action lists are “get-going” tips to support you in taking action on the job. These lists contain steps, tips, and ideas to help you plan, prioritize, and work as effectively as possible.