Book Review: Web Application Security by Andrew Hoffman
Review of the book Web Application Security by Andrew Hoffman. Published in March 2020 by O'Reilly Publication.
I recently came across this book, Web Application Security by Andrew Hoffman, while searching for material to read on how to secure web applications. There are many books available on this topic. I picked this one specifically because of it's recent publication date. It was published in March 2020 (about 5 month back, at the time of writing).
Content overview
The tagline of the book, "Exploitation and Countermeasures for Modern Web Applications", says it all. The book is divided into three parts Recon, Offense and Defense, each part is then divided into chapters covering specific areas of web application security.
It starts by providing a glimpse into the history of software security and the evolution of web related attacks as we see them today. It lays the foundation for the first part, Recon. In this part the author describes various techniques for mapping a web application. One important lesson I learnt from this part is that recon is not just limited to the web application per se. When mapping out the web application, one needs to look at aspects such as:
Structure of the application
Subdomains
APIs
Third-party components
Architecture
The second part of the book, Offense, covers the most common attacks related to web applications:
Cross-site scripting (XSS)
Cross-site request forgery (CSRF)
XML External Entity (XXE)
Injection
Denial of Service (DoS and DDoS)
Exploiting third-party components
In Defense (third part of this book), the author looks at securing web applications from a developer's point of view (one of the things I liked about this book). This part covers the following:
Securing application architecture
Secure code reviews
Vulnerability discovery and management
Defense techniques for each attack mentioned in the Offense section
Salient features
Here are a few things I liked about this book:
It focuses on holistic view of securing web applications.
Each offense technique is mapped to appropriate defense(s).
Developer focused Defense part of the book.
Author's focus on the importance of taking notes and his preferred notes format (you can find this out by reading the book).
This book is good for developers, information security managers, beginners in web application security.
Not so salient features
Here are a few things I did not like about this book:
Given the title and tag line, I thought it would be fairly more technical. It did not live up to those expectations.
The offense part misses out on key web application attacks such as Local File Inclusion (LFI), Remote File Inclusion (RFI), Path Traversal, Insecure Direct Object Reference etc.
Author has included examples for a fictitious website, a hands-on lab would have been nice.
My rating: 4.0 / 5.0
Join our book club on Discord and share your views on this book (or any other security book of your choice).
Other book reviews
Cyber Warfare – Truth, Tactics, and Strategies by Dr. Chase Cunningham
Practical Threat Intelligence and Data-Driven Threat Hunting by Valentina Costa-Gazcón
Penetration Testing Azure for Ethical Hackers by David Okeyode, Karl Fosaaen
Red Team Development and Operations by Joe Vest and James Tubberville