Book Review: WASEC By Alessandro Nadalin- 3 mins
This blog post is a book review for the WASEC (Web Application Security for the everyday software engineer) book by Alessandro Nadalin.
First of all, I have worked with Alessandro in building the security program for Namshi (an Emaar-acquired company in Dubai, United Arab Emirates). It was an excellent experience with great talents I had the chance to work with. Alessandro was the CTO of Namshi, with a high record of achievements in the tech industry. Visit Alessandro’s website or Namshi blog to read more.
The WASEC book is an intro for security engineering for web-based services. If you’re a web developer, a software engineer who works with web technologies, an enthusiast who would like to understand the fundamentals of web security from a security engineering perspective, then this book is an excellent intro and a must-read.
The book focuses on browser security features and utilizing them in building secure web-apps. WASEC also dives into explaining the HTTP protocol, and the differences between HTTP vs. HTTPS vs. HTTP/2 in a simple way.
The 7th chapter discusses DDoS attacks in a general manner, and how it is like to be in the middle of a DDoS attack.
Bug Bounty Programs are also covered from the perspective of companies. Namshi has a bug bounty program with one of the highest-paid rewards in the Middle East. Check the bug bounty program at Namshi Security. Alessandro shared some of his experience in running the program for the past few years.
One of the topics I enjoyed reading was “Logging Secrets”. It’s something that it’s not extensively discussed typically, and should be put in mind when integrating logging systems into applications.
I liked the language that the book is written by; a very simple, yet informative one that would encourage anyone to recommend the book to students and starters.
Another point I liked that WASEC is discussing new/modern security technologies and standards. I will list some here:
- Same-Site Cookies
- HPKP (HTTP Public Key Pinning) - it’s now dead. It’s discussing why, and the replacements.
- CSP (Content Security Policy)
- Stateful vs. Stateless Authentication
- Dependencies security
- CDNs (Content Delivery Networks) and how to validate and SRI (Sub-Resource Integrity)