Top 3 risk as per OWASP is Broken Authentication and Session Management even though OWASP is not mentioning Authorization. My questions is how much detail your Book is covering about this topic. The prevention as OWASAP is extensive code review. My question is how much this is viable?
I decided to have the ebook address CSRF and some points on Session Fixation. This is in one of the five chapters. I explain the attack and have an illustration as well as the mitigation techniques, particularly as given by OWASP. There are many variations on Session Mgmt attacks, but the ebook is meant to be a quick hit to address these in the immediate. I also have a chapter on Peer Code
Reviews and yes, you are correct, they can be laborious and tedious, but necessary. That's why we can look to some boths, either purchased or free, to help facilitate these efforts.
I believe there really is no substitute for the Peer Code Review process. Having other humans look at your code and provide feedback is invaluable especially since the tools can sometimes give
false positives, or worse, false negatives!
"So this is how liberty dies - to thunderous applause" -- Padme (Star Wars - Episode III)
subject: a3-Broken Authentication and Session Management