Application Security is hard, very hard. It is often counter intuitive with attackers using lateral thinking to abuse a service. I started my security journey when I was developing important, externally facing web applications with a large FTSE 100 company. Like many developers I had had absolutely no formal security training whatsoever and relied on the little knowledge that I’d picked up in passing. The results of a penetration test against one of the applications I had designed and built convinced me that I needed to radically improve my security knowledge.
Security is still often the poor relation when it comes to developing web applications. Developers still do not get sufficient security training, and when security is considered, it is often left to a penetration test at the end of a development just prior to going live. This is way too late.
Security needs to be considered throughout the development lifecycle. Everyone involved in application development needs to have a basic understanding of security, and developers need to know much more than that. Security professions do not typically prevent or fix security issues, they only find them. Developers need to design and build software that is resilient to attack and they can only do that if they understand how, why and where their systems will be attacked.
This is where books like this come in. Kim’s background as a software engineer means that he understands the development process and the pressures that developers are under. It is a wide ranging book that can help you learn about all aspects of security and help you design and build secure systems.
Simon Bennetts - Zed Attack Proxy Lead