Introduction

While you might be tempted just to skip to a particular chapter that interests you—say, Chapter 3, which deals with authentication, or Chapter 7, which deals with database security—you’ll probably be better served by starting at the front and reading through to the end. Our primary goal here is not to “give you a fish” by simply showing you security vulnerabilities, but rather to “teach you to fish” by discussing universal security principles. You should be able to take the same concepts you’ll learn in Chapter 4 on authorization and session management and apply them to the browser security issues found in Chapter 6. So again, please resist the temptation to skip around, at least on your first pass through.

We’ve divided this book into three sections. The first two chapters present a primer on both web application security concepts and software security concepts in general. If you’ve always wondered about how hackers break into web sites—or struggled to convince your boss to fund some security initiatives—then you’ll find what you’re looking for here. The second section, comprising six chapters and the majority of the content of the book, deals with principles of securing common areas of functionality of web applications. We’ll show the best ways to defend the integrity of your databases, file systems, user accounts, and many other important resources. Finally, the third section shows the most effective ways to put all the concepts you’ve lea....