In attempting to make the encryption and cryptography process a bit more understandable, Dr. Ron Rivest of MIT, the R in RSA, used the characters of Alice and Bob to explain how cryptography works. Alice and Bob became so ubiquitous that they were the theme of the 2011 RSA Conference.
What Rivest started, Tanya Janca continues in Alice and Bob Learn Application Security (Wiley).
Janca is the founder of the We Hack Purple training academy that specializes in application security training. She brings her vast training experience and enjoyable style, and enthusiasm about the topic, and has written a practical and useful guide.
Rather than spending chapters on introductions, the book hits the ground running and shows application developers what they need to do to write secure code.
Rivest created Alice and Bob to help people better understand encryption concepts. The book does that via stories and diagrams. There are many author stories where Janca shares real-world scenarios to make the ideas much more real.
President Ronald Reagan brought the term trust, but verify into the security lexicon. But Janca writes that when it comes to application security, one should never trust, but always verify. This means that you should never trust anything outside of your own application. For example, if your application talks to an API, verify that it is the correct API and that it has the authority to do whatever it is trying to do.
Furthermore, on this concept, if your application accepts data, from every source, you have to perform validation on the data and ensure that it is what you are expecting and that it is appropriate. If it is not, then the application should reject it.
One of the more interesting stories is where she writes that during a threat modeling session, she asked two software developers from the same firm, if they were going to hack their own application, how would they do it.
They said that there was an admin module they write to administer the application from home. The admin module had not been on any design documents, and it turned out to be a significant security hole. If those programmers had not been at the meeting, that vulnerability would never have been known.
The book covers all of the core topics around application security. From security requirements, software developer security hygiene, security fundamentals and requirements, secure design concepts, to how to build an AppSec program and more.
Behind many security vulnerabilities is insecure code, which underscores the importance of an effective application security program, and developers who know how to write security code.
In Alice and Bob Learn Application Security, your developers will find a most accessible and readable resource that will provide them with a thorough application security overview. At 250 pages, this is far from the last word on the topic. But for those who have not started their AppSec journey, this is a book that should most definitely be on their reading list.