I finished up Web Security for Developers this weekend. It was a great primer for covering exactly what it sets out to: Teach Basic Web Security to Developers. That said, basic in Web Security doesn't mean basic in general. It starts out pretty simple, with a lot of examples I was aware of already, then about halfway in, I started to read about things I had very little familiarity with. I'm not a web dude, nor am I what I'd call a developer. Still, this is the kind of book I like to dive into, because I can start learning what web developers are supposed to be on the lookout for when they are building their sites.

The book is written under the understanding that the reader already has a solid web development background, but still isn't familiar with the security side of things. That means, you won't find tutorials on HTML or CSS or JavaScript. That's all stuff the book expects you to know at this point. However, it does go over common issues that can be found within any of those aspects of building a website by explaining possible issues with examples then going into how to remediate or avoid them.

The first part of the book (four chapters) goes over the very basics of it all:

  • How the internet works
  • How browsers work
  • How web servers work
  • How programmers work (with an overview of the software development lifecycle)

It gives the reader an overview of how each of these functions and how they fit into the overall picture. I had a pretty decent understanding of most of these things, but it was still something I chose to read, because I wanted to deepen my knowledge. It was definitely worth the time invested, and that's even more the case if you don't have some of that important foundational knowledge. It serves the purpose of putting everyone going into the book at that base-level for reading further.

After some introductory stuff, the book goes into the actual threats. It's all the common ones you hear about: injection attacks, XSS, CSRF, session hijacking, etc.

The threat sections are broken into sections such as:

  • SQL
  • What is SQL?
  • Anatomy of an SQL Injection Attack
  • Mitigation methods

All of the threats are broken down in a similar fashion based on descriptions, examples, inner-workings and mitigation methods.

Finally, the end of the book is an quick recap of the threats and mitigation techniques summarized into smaller paragraphs and making up the final chapter.

Overall

I enjoyed the book. Even though I'm not a web developer, I picked it up to learn what web developers should be paying attention to in hopes of becoming a better attacker. I will admit that not all of the book stuck, but I will be revisiting sections as I need to further cement my understanding of the concepts as I see the need arise.