Yaksas CSC

Your Guardian in the Cyber World

  • Yaksas CSC Home
  • Home
  • About Us
    • Overview
    • Why Yakṣas?
  • Got a Question?
    • Cyber Security Basics
    • Cyber Security Education & Career
    • How to stay safe?
  • Get Invloved
    • Write for Us
    • YCSC QnA Dialogue
    • Translate Articles
  • Contact Yakṣas
  • Press Release
    • NCSAM 2015 Champion
    • STOP. THINK. CONNECT. Partner
Book Review: Web Application Security by Andrew Hoffman

Uday Mittal August 29, 2020 Leave a Comment

Book Review: Web Application Security by Andrew Hoffman

I recently came across this book, Web Application Security by Andrew Hoffman, while searching for material to read on how to secure web applications. There are many books available on this topic. I picked this one specifically because of it’s recent publication date. It was published in March 2020 (about 5 month back, at the time of writing).

Content overview

The tagline of the book, “Exploitation and Countermeasures for Modern Web Applications”, says it all. The book is divided into three parts Recon, Offense and Defense, each part is then divided into chapters covering specific areas of web application security.

It starts by providing a glimpse into the history of software security and the evolution of web related attacks as we see them today. It lays the foundation for the first part, Recon. In this part the author describes various techniques for mapping a web application. One important lesson I learnt from this part is that recon is not just limited to the web application per se. When mapping out the web application, one needs to look at aspects such as:

  • Structure of the application
  • Subdomains
  • APIs
  • Third-party components
  • Architecture

The second part of the book, Offense, covers the most common attacks related to web applications:

  • Cross-site scripting (XSS)
  • Cross-site request forgery (CSRF)
  • XML External Entity (XXE)
  • Injection
  • Denial of Service (DoS and DDoS)
  • Exploiting third-party components

In Defense (third part of this book), the author looks at securing web applications from a developer’s point of view (one of the things I liked about this book). This part covers the following:

  • Securing application architecture
  • Secure code reviews
  • Vulnerability discovery and management
  • Defense techniques for each attack mentioned in the Offense section

Salient features

Here are a few things I liked about this book:

  • It focuses on holistic view of securing web applications.
  • Each offense technique is mapped to appropriate defense(s).
  • Developer focused Defense part of the book.
  • Author’s focus on the importance of taking notes and his preferred notes format (you can find this out by reading the book).
  • This book is good for developers, information security managers, beginners in web application security.

Not so salient features

Here are a few things I did not like about this book:

  • Given the title and tag line, I thought it would be fairly more technical. It did not live up to those expectations.
  • The offense part misses out on key web application attacks such as Local File Inclusion (LFI), Remote File Inclusion (RFI), Path Traversal, Insecure Direct Object Reference etc.
  • Author has included examples for a fictitious website, a hands-on lab would have been nice.

My rating: 4.0 / 5.0

Related Posts

  • Book Review: Red Team Development and Operations by Joe Vest and James TubbervilleBook Review: Red Team Development and Operations by Joe Vest and James Tubberville
  • Book Review: Container Security by Liz RiceBook Review: Container Security by Liz Rice
mm
Uday Mittal

Uday Mittal is a cybersecurity professional with rich working experience working with various industries including telecom, publishing, consulting and finance. He holds internationally recognized certifications such as CRTP, OSCE, OSCP, CISSP, CISA, CISM, CRISC among others. He speaks on cybersecurity awareness, offensive security research etc. and has authored various articles on topics related to cyber security and software development for a leading magazine on open source software.

Filed Under: Book Reviews Tagged With: Cybersecurity books, web application security

Optin Form

Search

Follow us on Twitter

My Tweets

Categories

Tags

Active directory Active directory lab adsecurity adsi adsisearcher Android attack active directory awareness blue whale challenge Certification CISSP command and control crte crtp cyber-warfare Cyber Security Cybersecurity books Cybersecurity Cannon domain enumeration Edward Snowden ellitedevs forest enumeration hacker Information Security ISACA Kali Linux Mass Surveillance Mobile Security Narendra Modi NSA offensive security Online Safety Password Penetration Testing pentest poshc2 powersploit Powerview privacy red team Risk Management Social Media user enumeration Wifi Windows

Top Posts

  • Web App Pentesting using BodgeIt Store (Part 1)
    Web App Pentesting using BodgeIt Store (Part 1)
  • Are you sharing sensitive information over WhatsApp?
    Are you sharing sensitive information over WhatsApp?
  • Active Directory User Enumeration using PowerView
    Active Directory User Enumeration using PowerView
  • Social-Engineer Toolkit: An Introduction
    Social-Engineer Toolkit: An Introduction
  • Mona.py for exploit devs: 6 must know commands
    Mona.py for exploit devs: 6 must know commands
  • CISA: Everything You Need to Know
    CISA: Everything You Need to Know

© Copyright 2020 ElliteDevs · All Rights Reserved · Powered by WordPress