The Defender’s Mindset is a series designed for software developers, technical leaders, and security professionals who want to move beyond basic theory and implement practical, real-world defense strategies.
Cybersecurity is no longer just a “feature” — it is a fundamental requirement of modern engineering. This series bridges the gap between high-level security concepts and the hands-on reality of daily technical work. From the architectural level to the latest legislative requirements like the EU Cyber Resilience Act, these books provide the tools you need to build more resilient, secure, and high-quality software.
Regulatory Compliance: Practical guides to navigating complex frameworks like the EU Cyber Resilience Act.
Vulnerability Analysis: Real-world case studies to help you think like an attacker to build like a defender.
Equip yourself with the technical depth and strategic perspective required to protect modern digital ecosystems. Whether you are a senior developer or a technical manager, The Defender’s Mindset is your roadmap to professional-grade security.
A hands-on guide for Engineering Teams and Security Specialists
Cybersecurity is no longer just a “feature” — it is a fundamental requirement of modern engineering. In an era of escalating threats and rigorous new regulations, building software that is secure by design and by default is not just a best practice; it is a necessity for business success.
This book, part of “The Defender’s Mindset” series, provides a practical roadmap to professional-grade security. Moving beyond abstract theory, it offers a hands-on exploration of real-world attack patterns and the concrete strategies needed to mitigate them.
Whether you are an architect securing industrial automation systems or a developer building cloud APIs, this guide equips you with the “The Defender’s Mindset” required to transform potential vulnerabilities into robust, resilient, and high-quality software.
The volume is composed by 4 main sections:
Section 1: Cybersecurity Fundamentals → A simplified, bare-bone version of central cybersecurity topics. It covers the concept of Cybersecurity Posture, the Defense in Depth principle, and international standards such as:
CWE – Common Weaknesses Enumeration (https://cwe.mitre.org/)
CVE – Common Vulnerabilities and Exposures (https://www.cve.org/)
CVSS – Common Vulnerability Scoring System (https://www.first.org/cvss/)
IEC 62443 (https://www.isa.org/)
Section 2: Quality Assurance Fundamentals → Focuses on the most useful and practical methodologies and tools required for secure development. Topics include SAST, DAST, and the Secure Software Development Lifecycle (SSDLC).
Section 3: Hall of Fame → An exploration of high-impact flaws and scenarios. It covers the following scenarios:
ReDoS (Regular Expression Denial of Service)
Direct SQL Injection
Indirect SQL injection (via number format)
Indirect SQL injection (via number separators)
Path traversal / Directory traversal
Command injection & remote execution
Deserialization of Untrusted Data
TOCTOU (Time-of-Check to Time-of-Use)
NOP Sled / NOP Slide
Reverse Shell / Bind Shell
Cross-Site Scripting (XSS)
Section 4: Vulnerabilities & Mitigations → The core of the book, which applies the previously discussed principles to demonstrate specific ways to mitigate dangerous defects and vulnerabilities that could be exploited by malicious actors. Its contents are organized in eight subsections:
Memory & Resource Management
CWE-125: Out-of-bounds Read
CWE-787: Out-of-bounds Write
CWE-120: Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’)
CWE-416: Use After Free (UAF)
CWE-459: Incomplete Cleanup
CWE-476: NULL Pointer Dereference
CWE-400: Uncontrolled Resource Consumption
CWE-770: Allocation of Resources Without Limits or Throttling
CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement (‘Expression Language Injection’)
CWE-77: Improper Neutralization of Special Elements used in a Command (‘Command Injection’)
CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component (‘Injection’)
CWE-94: Improper Control of Generation of Code (‘Code Injection’)
CWE-913: Improper Control of Dynamically-Managed Code Resources
CWE-611: Improper Restriction of XML External Entity Reference
CWE-776: Improper Restriction of Recursive Entity References in DTDs (‘XML Entity Expansion’)
CWE-611 vs CWE-776
CWE-502: Deserialization of Untrusted Data
CWE-22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
CWE-434: Unrestricted Upload of File with Dangerous Type
Authentication & Authorization
CWE-287: Improper Authentication
CWE-306: Missing Authentication for Critical Function
CWE-798: Use of Hard-coded Credentials
CWE-284: Improper Access Control
CWE-862: Missing Authorization
CWE-863: Incorrect Authorization
CWE-639: Authorization Bypass Through User-Controlled Key
CWE-732: Incorrect Permission Assignment for Critical Resource
CWE-269: Improper Privilege Management
CWE-384: Session Fixation
CWE-613: Insufficient Session Expiration
Cryptography & Data Protection
CWE-295: Improper Certificate Validation
CWE-327: Use of a Broken or Risky Cryptographic Algorithm
CWE-326: Inadequate Encryption Strength
CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
CWE-312/316: Cleartext Storage of Sensitive Information
CWE-319: Cleartext Transmission of Sensitive Information
CWE-522: Insufficiently Protected Credentials
Information Disclosure & Logging
CWE-200/209/532: Exposure of Sensitive Information to an Unauthorized Actor
CWE-525: Use of Web Browser Cache Containing Sensitive Information
CWE-117: Improper Output Neutralization for Logs
Concurrency & (Multi)Threading
CWE-362/367: Race Condition: Concurrent Execution using Shared Resource with Improper Synchronization / Time-of-check Time-of-use (TOCTOU)
CWE-667: Improper Locking
CWE-412: Unrestricted Externally Accessible Lock
Logic Design, Control Flow, Supply Chain
CWE-426/427: Untrusted Search Path / Uncontrolled Search Path Element
CWE-601: URL Redirection to Untrusted Site (‘Open Redirect’)
CWE-918: Server-Side Request Forgery (SSRF)
CWE-352: Cross-Site Request Forgery (CSRF)
CWE-829: Inclusion of Functionality from Untrusted Control Sphere
CWE-1321: Improperly Controlled Modification of Object Prototype Attributes (“Prototype Pollution”)
CWE-942: Permissive Cross-domain Policy with Untrusted Domains
CWE-598: Use of GET Request Method with Sensitive Query Strings
CWE-233: Improper Handling of Parameters
CWE-345: Insufficient Verification of Data Authenticity
CWE-385/1281: Covert Timing Channel
Each section analyses multiple vulnerabilities and their possible mitigations from the point of view of the CWEs that best fit their patterns. Along with the code samples, you will also find:
A list of related CVEs of known exploitable vulnerabilities along with their CVSS.
Regulatory and standard violations, mainly in the context of the IEC 62443 and in some instances, also EU NIS2 and EU Cyber Resilience Act.
The following images are screenshots from the book pages:
Think of this book as a technical guide to translating legal requirements into actionable tickets, design specifications, and test plans. We’ll focus on the sections of the CRA that directly impact developers, security engineers, and product managers, and we’ll try to provide a practical answer to the most crucial questions, like:
What defines “critical” vs. “non-critical” software?
What are the required security properties (e.g., security by design)?
What documentation and logging are legally mandated?
How long must we provide support and security updates?
How do we implement a proper SSDLC (Secure Software Development Lifecycle)?
What do my team need to do to keep things running smoothly on the long term?
Which are the penalties for non-compliance?
In a few words: its goal is to move past the initial dread of regulatory complexity and empower you to build resilient software with the clarity the CRA demand
Table of contents
Section 1: The global landscape
1. Glossary of (not so obvious) terms.
2. The Regulatory Thicket..
Section 2: Cybersecurity fundamentals.
Preamble
3. Cybersecurity is a first-class citizen
4. Cybersecurity posture.
5. Cybersecurity misconceptions.
6. The “Defense in Depth” principle
7. Software Bill Of Materials (SBOM)
8. SemVer 2.0
9. Organizations, knowledge bases, standards and data formats.
10. IEC 62443.
Section 3: Quality Assurance fundamentals
11. Quality Assurance principles.
12. VCS and code branch management.
13. Structured commits messages.
14. SAST & DAST.
15. Software Development Lifecycle (SDLC)
16. Secure Software Development Lifecycle (SSDLC)
17. CI/CD
Section 4: The CRA “TL;DR” (Too Long; Didn’t Read)
18. General aspects of the CRA
19. The CRA timeline
20. Obligations
21. Products classification and the certification process.
22. The CRA “Modules” for certification
23. Technical Documentation
24. Risk assessment.
25. Vulnerability Handling Policy
26. EU Declaration of conformity.
27. CE Marking.
28. Product lifecycle (simplified view)
29. Enforcement
30. Sweeps and investigations..
31. CRA Penalties for Non-Compliance
32. The dual-track of liability..
33. Are you “guilty” in case of successful attack to your product?
34. How to use NANDO to find authorized testers and Notified Bodies.
35. What about Open-Source Software (OSS) Stewards?
36. What about custom-tailored products and “one shot” projects?
37. Use case 1: connected complex systems and “combined products”
38. Use case 2: non-connected complex systems and “combined products.”
39. I want to become a Notified Body!.
Section wrap-up
Section 5: In-depth analysis of the Regulation
40. Structure of the Regulation
41. Preamble and Recitals
42. Chapter I – General provisions
43. Chapter II – Obligations of economic operators and provisions in relation to FOSS
44. Chapter III – Conformity of the product with digital elements.
45. Chapter IV – Notification of conformity assessment bodies
46. Chapter V – Market surveillance and enforcement.
47. Chapter VI – Delegated powers and committee procedure..
48. Chapter VII – Confidentiality and penalties
49. Chapter VIII – Transitional and final provisions
50. ANNEX I – Essential cybersecurity requirements.
51. ANNEX II – Information and instructions to the user.
52. ANNEX III – Important products with digital elements.
53. ANNEX IV – Critical products with digital elements
54. ANNEX V – EU Declaration of conformity.
55. ANNEX VI – Simplified EU declaration of conformity.
56. ANNEX VII – Content of the technical documentation
57. ANNEX VIII – Conformity assessment procedures.
Software development is an ongoing process of learning and refinement. Each day brings the challenge of seeking better ways to build software – more efficient code, more robust systems. Having benefited from the kindness and wisdom of colleagues and many, many other authors, I now find myself in a position to share my own insights into Defensive Design, Defensive Programming and Quality Assurance.
Defensive Design, Defensive Programming and Quality Assurance are vast, multi-faceted, complex topics with deep historical roots and significant ramifications across multiple aspects of IT.
Defensive Programming is a software development technique designed to improve the robustness and reliability of code. It’s about anticipating potential problems and implementing safeguards to prevent them, in order to improve, and potentially guarantee, User Safety, Cybersecurity, System Integrity, Privacy and Data Confidentiality.
Defensive Design is its counterpart at a higher abstraction level, and involves creating infrastructures and architectures able to host and run code created with the Defensive Programming principles. As the two faces of the same medal, they both involve many different aspects of programming and different strategies, depending on the kind of application, and the technologies used to create it.
Quality Assurance is the means by which a consistent and unified work methodology is achieved for all its principles. Defensive Design, Defensive Programming and Quality Assurance are practically inseparable; one cannot be effectively maintained long-term without the other.
If you are interested, you can buy “Practical Defensive Design, Defensive Programming and Quality Assurance principles: Full-color edition with C# examples”, on Amazon
Table of contents
The topics treated in the book are the following:
Section 1 General principles and landscape 1. Defensive Design and Defensive Programming core principles 2. KPIs (Key Performance Indicators) 3. System health 4. Cybersecurity misconceptions 5. The “Defense in Depth” principle
Section 3 Cybersecurity 12. Cybersecurity is a first-class citizen 13. Cybersecurity posture 14. Cybersecurity rules of thumb 15. Software Bill Of Materials (SBOM) 16. SemVer 2.0 17. Knowledge bases and data formats 18. IEC 62443 19. Authentication vs Authorization 20. Security models, schemas, domains 21. Notable laws and regulations 22. Cyber Resilience Act (CRA)
Section 4 Quality Assurance 23. Quality Assurance principles 24. VCS and code branch management 25. Structured commits messages 26. SAST & DAST 27. The STRIDE and DREAD-D frameworks 28. Software Development Lifecycle (SDLC) 29. Secure Software Development Lifecycle 30. CI/CD
Section 5 Good practices, Bad practices, and everything in-between 31. Adopting the proper mindset 32. Embrace the power of D.D.D. 33. Architecture and high-level design 34. Low-level modeling and coding best practices 35. Your data is sacred 36. Evolving the system 37. Thinking like a defender 38. All Hands, Safe and Sound
IT: Questo sito o gli strumenti terzi da questo utilizzati si avvalgono di cookie necessari al funzionamento, ed utili alle finalità illustrate nella cookie policy. Chiudendo questo banner, scorrendo questa pagina, cliccando su un link o proseguendo la navigazione in altra maniera, acconsenti all’uso dei cookie.
EN: We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it.
