Top Ideas in This Book
When writing unit tests, you probably start with home run cases where you’re testing for basic functional correctness.
Don’t stop there.
You want to write tests for at least two more cases:
If done correctly, testing edge cases and security cases feels like a game.
Security is a journey, not a destination. As you progress in your security journey, you’re trying to reduce the risk of a successful attack. Therefore, your best bet is to increase the cost.
Typically we increase the cost of a successful attack through additional layers. By increasing the cost, we modify the attacker’s return on investment equation (ROI).
This is the type of conceptual and principled content I was hoping to read more about in Foundations of Security, but I had to hunt for it.
Developers also run operations (DevOps) and security at many small companies. That means your Lead Engineer is probably in charge of security by default and they probably need a framework for thinking about security issues.
Prevention, Detection, Containment, and Recovery is a reasonable and useful categorization for developers thrown into security roles.
Although Foundations of Security was authored in 2007, this book effectively matches the 2021 OWASP Top 10 Web Application Security Risks list.
In other words, many security issues we face today are baked into the web itself or tooling hasn’t improved much.
While the web is a democratizing force empowering millions of developers to build websites and applications where things “just work”, it also creates opportunities for developers to inadvertently and unknowingly create systems with poor security.
How strongly do I recommend Foundations of Security?
6 / 10
Foundations of Security covers a broad range of security threats and concepts on a technical level: worms, buffer overflows, SQL injection, CSRF, XSS, and cryptography.
Because this book was published in 2007 some of the technical details feel dated, so you should read this book and follow up by asking which tools exist today to mitigate the threat?
Beware, this book feels dense and presents a lot of technical detail. I was hoping for a more conceptual book with frameworks and principles that I can apply as an engineering leader. What I got instead was a technical dive into various security threats including code samples and mitigation techniques.