Web Security: A WhiteHat Perspective é um livro que está programado para ser lançado no dia 19 de Março de 2015, e já promete ser um grande sucesso.

Seus atores, descritos abaixo, possuem grande experiência em segurança da informação.

Axie Wu was a founder of ph4nt0m.org, one of China’s famous domestic security organizations. He is proficient in different offensive and defensive techniques with regard to web security. He joined Alibaba Co., Ltd, China, after his graduation from Xi’an Jiaotong University in 2005 and became the youngest expert level engineer in Alibaba by 2007. He then designed the network security systems for Alibaba, Taobao, and Alipay. He was completely involved in the security development process for Alibaba, where he gained extensive experience in the field of application security. From 2011 onward, he has been a security architect in Alibaba, responsible for group-wide web security and cloud computing security. Wu is currently product vice president of Anquanbao.com and is responsible for the company’s product development and design. He also leads the Zhejiang chapter of OWASP China.

Lizzie Zhao graduated from the University of Bridgeport, Connecticut, in 2001. She then worked at a computer training institute in New York City. Two years later, she returned to China and took up work with the subsidiary of a software company at the institute of the Chinese Academy of Sciences (CAS) as a project manager and system architect. In 2006, she joined the information technology promotion office of CECA (China E-Commerce Association). In 2007, she cofounded the RWStation (Beijing) Network Technology Co., Ltd., with other shareholders, and has since managed the company. From September 2011, Liz has focused her attention on China’s network security issues and has aimed to help enterprises in China with system security and network security business. She initiated the establishment of the Union SOSTC Alliance (Security Open Source Technology of China) with the help of other Chinese and overseas security experts. She is also a popular consultant for IT security service for various companies and for the Chinese government. Liz is currently the head of the STTC (Security Technology Training Center) and plans training activities with many universities in China, such as Northwestern Polytechnical University and Xidian University.

Veja o conteúdo programado par o título acima:

MY VIEW OF THE SECURITY WORLD
View of the IT Security World
Brief History of Web Security
Brief History of Chinese Hackers
Development Process of Hacking Techniques
Rise of Web Security
Black Hat, White Hat
Back to Nature: The Essence of Secret Security
Superstition: There Is No Silver Bullet
Security Is an Ongoing Process
Security Elements
How to Implement Safety Assessment
Asset Classification
Threat Analysis
Risk Analysis
Design of Security Programs
Art of War of White Hat
Principles of Secure by Default
Blacklist, Whitelist
Principle of Least Privilege
Principle of Defense in Depth
Principles of Data and Code Separation
Unpredictability of the Principle
Summary
Appendix

SAFETY ON THE CLIENT SCRIPT
Security of Browser
Same-Origin Policy
Browser of Sandbox
Malicious URL Intercept
Rapid Development of Browser Security
Summary

Cross-Site Scripting Attack
Introduction
First Type: Reflected XSS
Second Type: Stored XSS
Third Type: DOM-Based XSS
Advanced XSS Attack
Preliminary Study on XSS Pay Load
XSS Payload Power
XSS Attack Platform
Ultimate Weapon: XSS Worm
Debugging JavaScript
Construction Skills of XSS
Turning Waste into Treasure: Mission Impossible
Easily Overlooked Corner: Flash XSS
Really Sleep without Any Anxiety: JavaScript Development Framework
XSS Defense
Skillfully Deflecting the Question: HttpOnly
Input Checking
Output Checking
Defense XSS Correctly Designed
Dealing with Rich Text
Defense DOM-Based XSS
See XSS from Another Angle of Risk
Summary

Cross-Site Request Forgery
Introduction
Advanced CSRF
Cookie Policy of Browsers
Side Effect of P3P Header
GET? POST?
Flash CSRF
CSRF Worm
Defense against CSRF
Verification Code
Referer Check
Anti-CSRF Token
Summary

Clickjacking
What Is Clickjacking?
Flash Clickjacking
Image-Covering Attacks
Drag Hijacking and Data Theft
Clickjacking 3.0: Tapjacking
Defense against Clickjacking
Frame Busting
X-Frame-Options
Summary

HTML 5 Securities
New Tags of HTML 5
New Tags of XSS
Sandbox Attribute of iframe
Link Types: Noreferrer
Magical Effect of Canvas
Other Security Problems
Cross-Origin Resource Sharing
postMessage: Send Message across Windows
Web Storage
Summary

APPLICATION SECURITY ON THE SERVER SIDE
Injection Attacks
SQL Injection Attacks
Blind Injection
Timing Attack
Database Attacking Techniques
Common Attack Techniques
Command Execution
Stored Procedure Attacks
Coding Problems
SQL Column Truncation
Properly Defending against SQL Injection
Using Precompiled Statements
Using Stored Procedures
Checking the Data Type
Using Safety Functions
Other Injection Attacks
XML Injection
Code Injection
CRLF Injection
Summary

File Upload Vulnerability
File Upload Vulnerability Overview
FCKEditor File Upload Vulnerability
Bypassing the File Upload Check Function
Functionality or Vulnerability
Apache File Parsing Problem
IIS File Parsing Problem
PHP CGI Path to Solve the Problem
Upload Files Phishing
Designing Secure File Upload Features
Summary

Authentication and Session Management
Who Am I?
Password
Multifactor Authentication
Session Management and Authentication
Session Fixation Attacks
Session Keep Attack
Single Sign-On
Summary

Access Control
What Can I Do?
Vertical Rights Management
Horizontal Rights Management
Unauthorized Access from Youku Users (Vulnerability No. Wooyun-2010-0129)
Access Problems in the Laiyifen Shopping Site (Loopholes No. Wooyun-2010-01576)
Summary of OAuth
Summary

Encryption Algorithms and Random Numbers
Introduction
Stream Cipher Attack
Reused Key Attack
Bit-Flipping Attack
Issue of Weak Random IV
WEP Crack
ECB Mode Defects
Padding Oracle Attack
Key Management
Problems with a Pseudorandom Number
Trouble with a Weak Pseudorandom Number
The Time Really Do Random
Breaking the Pseudorandom Number Algorithm Seed
Using Secure Random Numbers
Summary
Appendix: Understanding the MD5 Length Extension Attack

Web Framework Security
MVC Framework Security
Template Engine and XSS Defenses
Web Framework and CSRF Defense
HTTP Header Management
Data Persistence Layer and SQL Injection
What Can Think More?
Web Framework Self-Security
Struts 2 Command Execution Vulnerability
Struts 2 Patch
Spring MVC Execution Vulnerability
Django Execution Vulnerability
Summary

Application-Layer Denial-of-Service Attacks
Introduction to DDoS
Application-Layer DDoS
CC Attack
Restriction of Request Frequency
The Priest Climbs a Post, the Devil Climbs Ten
About Verification Code
DDoS in the Defense Application Layer
Resource Exhaustion Attack
Slowloris Attack
HTTP POST DOS
Server Limit DoS
Murder Caused by Regular Expression: ReDoS
Summary

PHP Security
File Inclusion Vulnerability
Local File Inclusion
Remote File Inclusion
Using Skill of Local File Inclusion
Variable Coverage Vulnerability
Global Variable Coverage
The extract() Variable Coverage
Traversal Initializing Variables
The import_request_variables Variable Coverage
The parse_str() Variable Coverage
Code Execution Vulnerability
“Dangerous function” Executes the Code
File Writing Code Execution
Other Methods of Code Execution
Customize Secure PHP Environment
Summary

Web Server Configuration Security
Apache Security
Nginx Security
jBoss Remote Command Execution
Tomcat Remote Command Execution
HTTP Parameter Pollution
Summary

SAFETY OPERATIONS OF INTERNET COMPANIES
Security of Internet Business
Security Requirements in Internet Products
Internet Products Need Security
What Is a Good Security Program?
Business Logic Security
Loopholes in Password Security
Who Will Be the Big Winner?
Practice Deception
Password Recovery Process
How the Account Is Stolen
Various Ways of Account Theft
Analysis on Why Accounts Get Stolen
Internet Garbage
Threat of Spam
Spam Disposal
Phishing
Details about Phishing
Mail Phishing
Prevention and Control of Phishing Sites
Phishing in Online Shopping
User Privacy Protection
Challenges in Internet User Privacy
How to Protect User Privacy
Do Not Track
Summary
Appendix: Trouble Terminator

Security Development Lifecycle
SDL Introduction
Agile SDL
SDL Actual Combat Experience
Requirements Analysis and Design Phase
Development Phase
Providing Security Functions
Code Security Audit Tool
Test Phase
Summary

Security Operations
Make the Security Operated
Process of Vulnerability Patch
Security Monitoring
Intrusion Detection
Emergency Response Process
Summary
Appendix

Já o adicionei a minha lista de desejos da amazon.