Book Review: WASEC By Alessandro Nadalin
- 2 minsThis blog post reviews the WASEC (Web Application Security for the Everyday Software Engineer) book by Alessandro Nadalin.
First, I have worked with Alessandro to build the security program for Namshi (an Emaar-acquired company in Dubai, United Arab Emirates). It was an excellent experience with great talents I had the chance to work with. Alessandro was the CTO of Namshi, with a high record of achievements in the tech industry. Visit Alessandro’s website or Namshi blog to read more.
The WASEC book is an intro to security engineering for web-based services. Suppose you’re a web developer, a software engineer who works with web technologies, or an enthusiast who would like to understand the fundamentals of web security from a security engineering perspective. In that case, this book is an excellent intro and a must-read.
The book focuses on browser security features and utilizing them in building secure web apps. WASEC also dives into explaining the HTTP protocol and the differences between HTTP vs. HTTPS vs. HTTP/2 in a simple way.
The 7th chapter discusses DDoS attacks in a general manner and what it is like to be in the middle of a DDoS attack.
Bug Bounty Programs are also covered from the perspective of companies. Namshi has a bug bounty program with one of the highest-paid rewards in the Middle East. Check the bug bounty program at Namshi Security. Alessandro shared some of his experience running the program for the past few years.
One of the topics I enjoyed reading was “Logging Secrets”. It needs to be more extensively discussed and should be considered when integrating logging systems into applications.
I liked the language the book is written in; it is straightforward yet informative, which would encourage anyone to recommend the book to students and starters.
Another point I liked is that WASEC is discussing new/modern security technologies and standards. I will list some here:
- Same-Site Cookies
- Security.txt
- HPKP (HTTP Public Key Pinning) - it’s now dead. It discusses why and the replacements.
- CSP (Content Security Policy)
- Stateful vs. Stateless Authentication
- JWT
- Dependencies security
- CDNs (Content Delivery Networks) and how to validate and SRI (Sub-Resource Integrity)