Books for software engineers and managers

Foundations of Security

Foundations of Security

What Every Programmer Needs to  Know

by Neil Daswani, Christopher Kern, Anita Kesavan

Tech Lead,
Star Engineer

How strongly do I recommend Foundations of Security?
6 / 10

Review of Foundations of Security

Foundations of Security covers a broad range of security threats and concepts on a technical level: worms, buffer overflows, SQL injection, CSRF, XSS, and cryptography.

Because this book was published in 2007 some of the technical details feel dated, so you should read this book and follow up by asking which tools exist today to mitigate the threat?

Beware, this book feels dense and presents a lot of technical detail. I was hoping for a more conceptual book with frameworks and principles that I can apply as an engineering leader. What I got instead was a technical dive into various security threats including code samples and mitigation techniques.

Write automated test cases for security in addition to  functionality

When writing unit tests, you probably start with home run cases where you’re testing for basic functional correctness.

Don’t stop there.

You want to write tests for at least two more cases:

  1. Edge cases. Things that you don’t anticipate happening, but could. Hint: in a real-world system of any significance, these will happen.
  2. Security cases. Imagine you have malicious intent and you’re trying to break the system.

If done correctly, testing edge cases and security cases feels like a game.

The goal of security systems is to increase the cost of a successful  attack

Security is a journey, not a destination. As you progress in your security journey, you’re trying to reduce the risk of a successful attack. Therefore, your best bet is to increase the cost.

Typically we increase the cost of a successful attack through additional layers. By increasing the cost, we modify the attacker’s return on investment equation (ROI).

PDCR: Prevention, Detection, Containment, Recovery is a good framework for thinking about system  security

This is the type of conceptual and principled content I was hoping to read more about in Foundations of Security, but I had to hunt for it.

Developers also run operations (DevOps) and security at many small companies. That means your Lead Engineer is probably in charge of security by default and they probably need a framework for thinking about security issues.

Prevention, Detection, Containment, and Recovery is a reasonable and useful categorization for developers thrown into security roles.

  • Prevention = Physical security, Authentication, Access control, etc.
  • Detection = Watchdogs, beacons, virus scanners, etc.
  • Containment = Backups, intrusion tolerance, etc.
  • Recovery = Failover, Auditing, Data Restoration, etc.

The OWASP Top 10 List is still relevant and web security hasn’t improved  much

Although Foundations of Security was authored in 2007, this book effectively matches the 2021 OWASP Top 10 Web Application Security Risks list.

In other words, many security issues we face today are baked into the web itself or tooling hasn’t improved much.

While the web is a democratizing force empowering millions of developers to build websites and applications where things “just work”, it also creates opportunities for developers to inadvertently and unknowingly create systems with poor security.

Foundations of Security