What do you think?
Rate this book
Hackable: How to Do Application Security Right
If you don't fix your security vulnerabilities, attackers will exploit them. It's simply a matter of who finds them first. If you fail to prove that your software is secure, your sales are at risk too.
Whether you're a technology executive, developer, or security professional, you are responsible for securing your application. However, you may be uncertain about what works, what doesn't, how hackers exploit applications, or how much to spend. Or maybe you think you do know, but don't realize what you're doing wrong.
To defend against attackers, you must think like them. As a leader of ethical hackers, Ted Harrington helps the world's foremost companies secure their technology. Hackable teaches you exactly how. You'll learn how to eradicate security vulnerabilities, establish a threat model, and build security into the development process. You'll build better, more secure products. You'll gain a competitive edge, earn trust, and win sales.
Whether you're a technology executive, developer, or security professional, you are responsible for securing your application. However, you may be uncertain about what works, what doesn't, how hackers exploit applications, or how much to spend. Or maybe you think you do know, but don't realize what you're doing wrong.
To defend against attackers, you must think like them. As a leader of ethical hackers, Ted Harrington helps the world's foremost companies secure their technology. Hackable teaches you exactly how. You'll learn how to eradicate security vulnerabilities, establish a threat model, and build security into the development process. You'll build better, more secure products. You'll gain a competitive edge, earn trust, and win sales.
- GenresTechnicalNonfiction
288 pages, Paperback
Published November 27, 2020
46 people are currently reading
751 people want to read
Ratings & Reviews
Friends & Following
Create a free account to discover what your friends think of this book!
Community Reviews
Displaying 1 - 9 of 9 reviews
November 5, 2021
It was mostly a lot of marketing fluff about why you should use consulting companies like his to do application security. When you strip away the marketing fluff, which is 75% of the book, he talks about general purpose security strategies that you could apply to any security program but not specifically to how you would improve the security of your app development. He didn't even mention DevOps, site reliability engineering, regression testing, tool sets to consider and what to look for, or even programming languages that he would prefer. His main advice seems to be to decide to "Just Do it" and all of your problems will be solved.
April 1, 2021
The cause behind many information security incidents is vulnerable networks and applications. In Hackable: How to Do Application Security Right (Lioncrest Publishing), author Ted Harrington has written a helpful guide to slow down this dangerous problem. Harrington is president of Independent Security Evaluators, has his hands on the pulse of the industry, and has written a pragmatic guide to educate the reader on the importance of application security.
Far too many firms try to do security by following a check-box-like approach, and that is precisely the approach the book is trying to stop firms from doing. Harrington takes somewhat of a contrarian view in his approach to security testing. Some of his suggestions run contrary to what industry best practices and firms like Gartner suggest, and that is not necessarily a bad thing.
An example of his contrarian approach is his disdain for black-box security testing, which he considers a waste of time and money. Black-box testing is an approach that limits the information your penetration testers have to replicate real-world conditions better. A white-box approach is when the firm being tested provides the penetration testing team with information about the systems being tested and administration-level credentials to perform the test. To which Harrington writes (not incorrectly) that a white-box approach makes the best use of your times and money.
The rest of the book builds on that idea, and he writes of many misconceptions firms have when it comes to security testing. Some of which include firms misunderstanding the difference between vulnerability scans and vulnerability assessments, why bug bounty programs can be of little value to many firms, and more.
One of the most insightful points he makes in the book is when he writes that “security is a loop, not a line.” Too many firms think their security process is done after they perform their annual pen test. But the reality is that security is an endless loop of determining your threat model, performing assessments against that model, remediating those threats, and then doing that all over again.
Chapter 8 details how to establish your customized threat model. By knowing and understanding what to protect, whom to defend against and where you will be attacked, a firm can ensure they are putting their budgets and efforts in the right places. The chapter details numerous threats, including nation-states, insiders, and more, to help you establish a threat model that works for you.
A final important point the book makes is that while many software companies tend to think that security slows down the development process, that is simply not the case. He shows that by building security into the development process, you will get better security that costs less in the end, and due to a formal program to deal with the security issues in the development process, it will, in fact, not slow things down.
For those looking to understand what they need to do around application security, Hackable: How to Do Application Security Right is an excellent high-level guide to start them on their journey.
Far too many firms try to do security by following a check-box-like approach, and that is precisely the approach the book is trying to stop firms from doing. Harrington takes somewhat of a contrarian view in his approach to security testing. Some of his suggestions run contrary to what industry best practices and firms like Gartner suggest, and that is not necessarily a bad thing.
An example of his contrarian approach is his disdain for black-box security testing, which he considers a waste of time and money. Black-box testing is an approach that limits the information your penetration testers have to replicate real-world conditions better. A white-box approach is when the firm being tested provides the penetration testing team with information about the systems being tested and administration-level credentials to perform the test. To which Harrington writes (not incorrectly) that a white-box approach makes the best use of your times and money.
The rest of the book builds on that idea, and he writes of many misconceptions firms have when it comes to security testing. Some of which include firms misunderstanding the difference between vulnerability scans and vulnerability assessments, why bug bounty programs can be of little value to many firms, and more.
One of the most insightful points he makes in the book is when he writes that “security is a loop, not a line.” Too many firms think their security process is done after they perform their annual pen test. But the reality is that security is an endless loop of determining your threat model, performing assessments against that model, remediating those threats, and then doing that all over again.
Chapter 8 details how to establish your customized threat model. By knowing and understanding what to protect, whom to defend against and where you will be attacked, a firm can ensure they are putting their budgets and efforts in the right places. The chapter details numerous threats, including nation-states, insiders, and more, to help you establish a threat model that works for you.
A final important point the book makes is that while many software companies tend to think that security slows down the development process, that is simply not the case. He shows that by building security into the development process, you will get better security that costs less in the end, and due to a formal program to deal with the security issues in the development process, it will, in fact, not slow things down.
For those looking to understand what they need to do around application security, Hackable: How to Do Application Security Right is an excellent high-level guide to start them on their journey.
October 5, 2021
Was not what I was looking for. Information presented came mostly from a sales perspective, rather than a technical one.
December 30, 2020
In this era of computer data breaches happening seemingly every week, computer security has become a very important subject. This book, written by the head of a computer security company, gives the details.
First, establish a partnership with an external computer security company. Your internal IT people may be the best, but they can't do it all by themselves. Most companies think that they need a penetration test, but what they really need is a vulnerability assessment. A penetration test will answer a Yes/No question (Will X work in situation Y?), but a vulnerability assessment will go through your whole system, looking for problems. You should absolutely give the external company a tour of your system, ahead of time. You don't want them wasting their time, and your money, finding vulnerabilities that you already knew about.
When you are presented with the list found vulnerabilities, whether it's a few or a lot, Fix Them, or get them fixed. Prioritize those that have to be fixed today, and those that can wait. After they are fixed, the external company needs to do a remediation test. It is to make sure that the problems were fixed, and that fixing one problem didn't create several more problems.
The book says that there is no such thing as "perfect" security, or being "done" with security. Internal files are moved, and internal settings are changed, every day, so new vulnerabilities may be created every day. A vulnerability assessment needs to be done a couple of times per year. How much do you not want to be the next corporate victim of a hacker attack? On your company website, have a separate page that talks all about computer security. Explain exactly what you are doing; potential customers will be very interested. Don't simply say "We guarantee the best computer security anywhere."
Computer security can be a very complex subject. The author does an excellent job at making it understandable by the average person. This book is full of information, and is very easy to read. It is well worth the time.
First, establish a partnership with an external computer security company. Your internal IT people may be the best, but they can't do it all by themselves. Most companies think that they need a penetration test, but what they really need is a vulnerability assessment. A penetration test will answer a Yes/No question (Will X work in situation Y?), but a vulnerability assessment will go through your whole system, looking for problems. You should absolutely give the external company a tour of your system, ahead of time. You don't want them wasting their time, and your money, finding vulnerabilities that you already knew about.
When you are presented with the list found vulnerabilities, whether it's a few or a lot, Fix Them, or get them fixed. Prioritize those that have to be fixed today, and those that can wait. After they are fixed, the external company needs to do a remediation test. It is to make sure that the problems were fixed, and that fixing one problem didn't create several more problems.
The book says that there is no such thing as "perfect" security, or being "done" with security. Internal files are moved, and internal settings are changed, every day, so new vulnerabilities may be created every day. A vulnerability assessment needs to be done a couple of times per year. How much do you not want to be the next corporate victim of a hacker attack? On your company website, have a separate page that talks all about computer security. Explain exactly what you are doing; potential customers will be very interested. Don't simply say "We guarantee the best computer security anywhere."
Computer security can be a very complex subject. The author does an excellent job at making it understandable by the average person. This book is full of information, and is very easy to read. It is well worth the time.
December 1, 2021
An important book for anyone trying to understand software security in a nontechnical way. The author those an incredible job explaining all the different fases of security and how to do it right. According to Ted, in the end it all comes down to consistency and having a good external partner; communication with this external partner is super important. As an engineering student I was expecting a deeper dive into the technicalities of this subject, but I don’t mind the actual result. Although you don’t get a full explanation of all the technical stuff, you do get some important references and I think this is a good way to get introduced to cybersecurity.
September 6, 2021
This was a great book, very readable, and does a fine job digging into how to think about security (in particular application security) in a more comprehensive fashion. I appreciated the detailed explanation of commonly misused terms, like penetration testing, to provide a layered understanding but probably the best take away for an engineering leader was understanding how to pitch security as a competitive advantage rather than a cost center.
April 21, 2021
Ted harrington is extremely knowledgeable on application security. If you are looking to understand the mechanics of how to embed security into the SDL then this is not your book. There is much more to application security than DAST and SAST. If you are looking to understand the best approach to securing your applications then this is a great book
June 2, 2021
This book has some practical commonsensical advice, on how to do application security. What is suggested emphasizes things beyond the CSSLP. The rationale however is not justified, within the book, though perhaps some more of it may be known to the author.
August 31, 2025
Too basic for a lot of real world use. Summary is that this book oozes an arrogant tone and marketing feel to drive business to his and similar companies' services. Once distilled to its essence, he could have made this a white paper of just a few pages of helpful content. Skip it. Nothing here that you could not find via a web search and with no money spent.
Displaying 1 - 9 of 9 reviews