Hackable: How to Do Application Security Right
Book written by Ted Harrington
Book review by Helen Patton
Hall of Fame Candidate
I recommend this nonfiction book for the Cybersecurity Canon Hall of Fame.
“Hackable: How to Do Application Security” by Ted Harrington, is an excellent book for any security practitioner to read. It could be argued that the focus of the book is application security and would qualify as a “niche book” if read only through that lens. A closer reading of the book shows that the author is a seasoned security practitioner, who applies timeless security philosophies to his topic. All security practitioners can learn from his approach, even those who don’t do application security as a primary focus. The book is well written and easily consumable. For this reason, I recommend this book for inclusion in the cybersecurity canon.
There have been a number of books written about Application Security. This is targeted at technology leaders (for example chief technology, information and security officers). I appreciate that while his purpose is to write a pragmatic, easy, actionable approach to application security, he ties the topic back to the larger security purpose – creating trust and enabling competitive advantage.
He sums it up this way:
“You build better, more secure products.
You gain a competitive advantage.
You earn trust.
You win sales.”
A quick review of the chapter topics gives you a clear outline of his approach. The first half of the book focuses on the art of application testing:
- Pick the right partner
- Choose the right assessment methodology
- Get the right security testing
- Hack your system
- Fix your vulnerabilities
- Hack it again
The second half extends this to broader security and risk management concerns:
- Spend wisely
- Establish your threat model
- Build security in
- Win Sales
Each chapter is introduced with a lie, then a truth. These summary statements, when taken together across all chapters, are a sound security philosophy, and extremely relevant to technology executives. For example, in the “Build Security In” chapter, it begins:
LIE: Develop first, then secure
TRUTH: Secure as we develop
The author uses simple language, examples and analogies to explain application security testing concepts and approaches, without sugar coating the operational challenges that technology leaders must face. Each chapter ends with a summary of “Big Ideas,” a summary of the concepts included in the chapter, and a link to online exercises and resources. This format of introduction, pragmatic instruction, and summary solutions with further tools and support, is a very effective method of teaching the reader about the fundamentals of application security.
The content that makes this book evergreen is the recommendations made to leaders about how to think about and manage security concerns. As the author notes, security is an investment, a strategic differentiator, a builder of trust. In “Hackable,” the author gives concrete examples of how this plays out in big and small companies and guidance on how to implement this approach. For many security practitioners this isn’t new thinking, but many practitioners struggle to put this philosophy into practice. This book gives actionable steps for leaders and practitioners to help them on their security maturity journey.
“Hackable: How To Do Application Security” by Ted Harrington will help technology leaders think about and implement a mature application security program in their organization. It will also help them think about security more holistically. The pragmatic and actionable information in this book is sorely needed in our industry, and for our partners. As the author notes, “security is a team sport.” This book helps the entire team. I recommend it as a Hall of Fame candidate.