Chapter 27: Further Reading — Security-First Development

Annotated Bibliography

1. OWASP Top Ten Web Application Security Risks

Source: OWASP Foundation. https://owasp.org/www-project-top-ten/

The OWASP Top Ten is the industry-standard awareness document for web application security. Updated periodically, it identifies the ten most critical security risks facing web applications. Every developer should be familiar with its contents. The 2021 edition introduced categories for insecure design and software and data integrity failures, reflecting the evolving threat landscape. This is the single most important reference for understanding what you are defending against.

2. OWASP Application Security Verification Standard (ASVS)

Source: OWASP Foundation. https://owasp.org/www-project-application-security-verification-standard/

While the Top Ten identifies risks, the ASVS provides a comprehensive framework of security requirements organized into three verification levels. Level 1 covers basic security hygiene, Level 2 covers most applications handling sensitive data, and Level 3 targets the highest-risk applications (banking, healthcare, critical infrastructure). Use the ASVS as a checklist when designing and reviewing your security controls. It is particularly valuable for vibe coders who need a structured way to evaluate AI-generated code against established security standards.

3. The Web Application Hacker's Handbook (2nd Edition)

Authors: Dafydd Stuttard and Marcus Pinto. Wiley, 2011.

Despite its age, this book remains the definitive guide to web application penetration testing. It provides deep technical detail on every major attack class: authentication, session management, access controls, input validation, logic flaws, and more. Understanding how attacks work is essential for writing defensive code. The techniques described are directly applicable to auditing AI-generated web applications.

4. Secure by Design

Authors: Dan Bergh Johnsson, Daniel Deogun, and Daniel Sawano. Manning, 2019.

This book presents security as a design concern rather than a testing concern. It introduces domain primitives, secure-by-construction patterns, and the concept of making insecure states unrepresentable in your type system. The approach aligns well with vibe coding: if you prompt your AI assistant to generate code using these patterns, the resulting code is inherently more secure. Chapters on input validation and domain modeling are particularly relevant.

5. Practical Cryptography in Python

Author: Seth James Nielson and Christopher K. Monson. Apress, 2019.

A hands-on guide to implementing cryptographic operations correctly in Python. Covers symmetric encryption, asymmetric encryption, hashing, digital signatures, key management, and common pitfalls. Essential reading for any developer who handles password hashing, token signing, or data encryption. The emphasis on common mistakes (using ECB mode, insufficient key lengths, confusing encoding with encryption) helps vibe coders recognize insecure patterns in AI-generated cryptographic code.

6. Identity and Data Security for Web Development

Authors: Jonathan LeBlanc and Tim Messerschmidt. O'Reilly Media, 2016.

Focuses specifically on authentication, authorization, and data protection for web applications. Covers OAuth 2.0, OpenID Connect, password storage, two-factor authentication, and token-based security in depth. While some implementation details have evolved, the architectural patterns and security principles remain highly relevant.

7. Flask Security Best Practices Documentation

Source: Flask and Flask-Security-Too documentation. https://flask.palletsprojects.com/ and https://flask-security-too.readthedocs.io/

The official Flask documentation covers session configuration, security headers, and deployment best practices. Flask-Security-Too provides a comprehensive security extension that bundles authentication, authorization, password hashing, and more. Reading these documents helps vibe coders understand what Flask does and does not provide by default, and what must be added manually or through extensions.

8. Supply Chain Security — SLSA Framework

Source: Supply-chain Levels for Software Artifacts. https://slsa.dev/

SLSA (pronounced "salsa") is a framework for ensuring the integrity of software artifacts throughout the supply chain. It defines four levels of increasing assurance, from basic build provenance to hermetic, reproducible builds. Relevant to Chapter 27's discussion of dependency security, SLSA helps developers understand the full scope of supply chain risks beyond just checking for known CVEs.

9. CWE/SANS Top 25 Most Dangerous Software Weaknesses

Source: MITRE Corporation. https://cwe.mitre.org/top25/

Complementing the OWASP Top Ten (which focuses on web applications), the CWE Top 25 covers the most dangerous software weaknesses across all software types. Each entry includes detailed descriptions, examples, and mitigation strategies. The CWE identifiers (e.g., CWE-79 for XSS, CWE-89 for SQL Injection) provide a standardized taxonomy for discussing vulnerabilities.

10. Python Security Best Practices — Snyk

Source: Snyk. https://snyk.io/blog/python-security-best-practices-cheat-sheet/

Snyk maintains a practical, regularly updated guide to Python-specific security best practices. It covers input validation, dependency management, secure coding patterns, and common Python-specific vulnerabilities (pickle deserialization, eval() injection, YAML parsing). The cheat sheet format makes it an excellent quick reference during vibe coding sessions.

11. Hacking APIs

Author: Corey Ball. No Starch Press, 2022.

Focuses specifically on API security, covering reconnaissance, authentication attacks, authorization flaws, injection, and mass assignment. Since most vibe-coded applications expose REST or GraphQL APIs, understanding API-specific attack vectors is critical. The book includes practical examples using tools like Burp Suite, Postman, and curl that can be adapted for security testing of your own APIs.

12. GitGuardian State of Secrets Sprawl Report

Source: GitGuardian. https://www.gitguardian.com/state-of-secrets-sprawl-report

GitGuardian's annual report provides data on the prevalence of hardcoded secrets in public and private repositories. The report includes statistics on the types of secrets most commonly exposed, the time to detection, and the industries most affected. The findings directly support the arguments in Section 27.7 about the urgency of secrets management, particularly in teams using AI code generation.

13. Threat Modeling: Designing for Security

Author: Adam Shostack. Wiley, 2014.

The authoritative guide to threat modeling, written by a former Microsoft security engineer. Covers the STRIDE model (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege), data flow diagrams, and practical techniques for identifying threats before writing code. Threat modeling is a critical skill for vibe coders who must understand their application's threat landscape before prompting an AI to generate security-sensitive code.

14. Bandit Documentation and Rule Reference

Source: PyCQA. https://bandit.readthedocs.io/

Bandit is the standard Python security linter referenced throughout this chapter. The documentation includes a complete reference of all security checks, with explanations of each vulnerability type and remediation guidance. Understanding Bandit's rules helps you recognize the patterns it flags and proactively avoid them when reviewing AI-generated code.

15. JWT Best Current Practices (RFC 8725)

Source: IETF. https://datatracker.ietf.org/doc/html/rfc8725

This RFC documents security best practices for JSON Web Tokens based on real-world vulnerabilities and implementation experience. It covers algorithm selection, key management, claim validation, token lifetime, and common pitfalls. Required reading for anyone implementing JWT-based authentication, especially when evaluating AI-generated JWT code that may not follow these practices.