I finished up Web Security for Developers this weekend. It was a great primer for covering exactly what it sets out to: Teach Basic Web Security to Developers. That said, basic in Web Security doesn't mean basic in general. It starts out pretty simple, with a lot of examples I was aware of already, then about halfway in, I started to read about things I had very little familiarity with. I'm not a web dude, nor am I what I'd call a developer. Still, this is the kind of book I like to dive into, because I can start learning what web developers are supposed to be on the lookout for when they are building their sites.
The first part of the book (four chapters) goes over the very basics of it all:
- How the internet works
- How browsers work
- How web servers work
- How programmers work (with an overview of the software development lifecycle)
It gives the reader an overview of how each of these functions and how they fit into the overall picture. I had a pretty decent understanding of most of these things, but it was still something I chose to read, because I wanted to deepen my knowledge. It was definitely worth the time invested, and that's even more the case if you don't have some of that important foundational knowledge. It serves the purpose of putting everyone going into the book at that base-level for reading further.
After some introductory stuff, the book goes into the actual threats. It's all the common ones you hear about: injection attacks, XSS, CSRF, session hijacking, etc.
The threat sections are broken into sections such as:
- What is SQL?
- Anatomy of an SQL Injection Attack
- Mitigation methods
All of the threats are broken down in a similar fashion based on descriptions, examples, inner-workings and mitigation methods.
Finally, the end of the book is an quick recap of the threats and mitigation techniques summarized into smaller paragraphs and making up the final chapter.
I enjoyed the book. Even though I'm not a web developer, I picked it up to learn what web developers should be paying attention to in hopes of becoming a better attacker. I will admit that not all of the book stuck, but I will be revisiting sections as I need to further cement my understanding of the concepts as I see the need arise.