As the application development community focuses on building more secure applications against common cyber risks threatening organizations, application security stakeholders need to find the resources that will help them learn the basics, or gain some best practices, or validate existing knowledge in application security development.
In this blog post, we will present the top application security resources developers and various software security stakeholders can use to help them develop more secure applications for organizations.
Application security basics
The answers to this question posted on Stack Overflow will give you a good list of key security principles, with some of them including links for more detail. Among these security principles are “never trust any input,” “fail securely,” “use defense in depth,” and “adhere to the principle of least privilege.”
This article on the Google Developers’ Web Fundamentals site teaches you how to implement HTTPS and a Content Security Policy (CSP). You’ll also learn about detecting attacks on your website and ways to mitigate them.
Web security basics are an important part of building any web app, but they’re not always well understood. This article provides eight considerations for designing web applications, from validating unexpected input to securing user sessions.
The Open Web Application Security Project (OWASP) is an international community that creates resources to help architects and solution providers produce secure applications at the design stage. This resource takes key security principles, defines them with examples for ten different items, including “minimize attack surface area” and “fail securely.”
This book written by Microsoft security engineers Michael Howard and David LeBlanc is a staple in the field of software engineering. The authors cover threat modeling, designing an effective process for securing code, including international challenges, file systems, adding privacy to applications, conducting security code reviews.
Key security risks to address
While many resources focus on what you must NOT do to develop code that will get attacked, this is a list of what you SHOULD do to develop secure application code. The application security risks include Injection, Broken Authentication and Session Management, Cross-Site Scripting (XSS), Broken Access Control, Security Misconfiguration, Sensitive Data Leakage.
The OWASP Top 10 is a great starting point for learning about web application security and can also be used as a standard awareness document for improving application security. It is also recognized by developers as the first step toward more secure coding. The OWASP Top 10 is based on a broad consensus from over 200 experts across various industries worldwide.
The OWASP Mobile Security Project is a centralized resource for developers and security teams to get the resources they need when building and maintaining mobile applications. This project aims to provide a classification of mobile security risks as well as developmental controls to help reduce the impact or likelihood of exploitation of these risks.
MITRE’s Common Weakness Enumeration (CWE) is a community-developed list of common software security weaknesses, including over 700 weaknesses you can learn about by research, development, or architectural concepts. This resource will also prove useful for developers seeking to learn more about the Common Vulnerabilities and Exposures (CVE) list featured in the National Vulnerability Database.
This book is about the main security flaws identified in applicatifon development. Its content covers the OWASP Top 10 list along with several common flaws that are not part of the OWASP list.
Secure coding development lifecycle
This hands-on guide presents several security tools and techniques designed specifically to help you learn and integrate agile development to your usual software development methodology, introducing security principles to both security and agile practitioners.
What tools and processes can ensure that your code stays secure throughout the DevOps and Agile development lifecycle? This book answers the question by giving you a clear, hands-on picture of many current, real-world secure lifecycle chains and processes such as those used by Etsy and Netflix.
This project teaches you how to look for vulnerabilities to improve your chances of never writing them in your code the first place, highlighting how code reviews are an important step in catching security vulnerabilities early in development delivery process.
Security threat modeling process
This resource, discussing the threat actors, passive attackers, and local users and local servers, aims to help you define a threat model through the different types of attackers your application may be facing – with the overall goal of providing you value.
In this comprehensive technical resource, the OWASP analyzes the three key steps in the threat modeling process, from decomposing your application, determining and ranking the threats to determining mitigation measures. The OWASP threat modeling cheat sheet provides guidance in creating threat models for both existing and new systems or applications.
This article describes Dell EMC’s practical experiences with the threat modeling process, namely its main challenges, lessons learned, and description of the organization’s current developer-driven approach. It also discusses threat modeling as the most effective approach at finding architectural security flaws, namely failure to authenticate or authorize.
In this article, security editor Sean Gallagher discusses threat modeling as a way of looking at risks to identify the most likely threats to your application security or the biggest security risks to your software. It also objects that your application’s specific top risks may be different than the OWASP Top 10 list.
Defensive security programming
While Apple aims this resource at iOS and macOS developers, a lot of the information and advice is universal. Some of the sections cover elevating privileges safely, avoiding common security vulnerabilities, designing secure UIs, and writing secure helpers and daemons.
Despite being aimed at iOS and macOS developers, this resource provides a generic approach to the types of security vulnerabilities most identified in applications along with software Security Development Checklists.
This technical guide to defensive programming, from Red Hat, includes examples in C, C++, Java, Python, Shell/Bash, Go, and Vala, along with tutorials for eight programming tasks and instructions implementing security features, namely authentication and authorization, Transport Layer Security (TLS), hardware security modules, and smart cards.
This blog offers an introduction to defensive programming, its terminology history, disagreements when it comes to its definition while providing an archetypal example of defensive programming that take place in most C programs and discussing defensive programming challenges.
Basic security training and courses
This wiki by the Carnegie Mellon University’s Software Engineering Institute (SEI) lists the rules and recommendations reflecting current thinking in the software security community, as well as its Top 10 Secure Coding Practices.
This site from the SANS Institute provides free resources for developers and many fee-based training courses, including Web Application Security Awareness Training, designed to help developers build a security awareness culture.
In this open-source, Creative Commons-licensed website of one-day classes on various computer security topics, you will find an introduction on secure coding strategies and some introductory training on other topics such as vulnerability assessment, secure code reviews, cryptography, and software exploits.
SAFECode offers a wealth of security resources, namely some free online training and its Fundamental Practices for Secure Software Development document, but also a guide to tactical threat modeling, secure development guidelines, and a blog. The security development lifecycle, system hardening, secure cloud development, and other topics are among the topics covered by the training modules.
As an open-source, crowdsourced platform for security training and certification preparation, this resource also offers virtual labs and other resources for your preparation to many security certification programs, including CompTIA, CISA, CISM, CISSP, HIPAA, and PCI/DSS.
Similar to the courses offered by Harvard edX, Stanford Online, and Coursera, this college MIT course is one of the best ways to get yourself a foundation in application security. This open course covers, among other aspects, threat models, common exploits, network security, authentication, mobile security, and security economics.
An unprecedented increase in cyberattacks over the past few years has made application security a top concern for organizations, developers, and security specialists. The success of this ongoing journey hinges on a collective effort from the entire application security community, from security awareness organizations and web developers to cybersecurity professionals. And only a holistic, multifaceted approach to application security within its broader context of user access through network security, cloud security, and IoT security, could be the most effective approach to keeping malicious attackers at bay.
Contact us if you need help with your web application penetration test project.