As someone working with developers and concerned about software security, you want the ‘how to do it’. You don't want the technical details, you want to know how you can change your professional approach to deliver dramatically better software security for you and your colleagues at a minimum cost. You reach for the dummies guide, but there's little help available. This online book, written by me Charles, fills that gap.
Not so long ago, software developers mostly lived in a world of safety, in which crime and accidental privacy loss were virtually unknown, prevented because the computers stood alone and rarely communicated with each other. Nowadays every computer and every application is essentially part of a world computing network, widely accessible to other people; and criminals and accidental disclosure can hurt large numbers of people very badly.
We all know the stories – grandmothers losing their life savings to online fraudsters; cars potentially crashing at speed because their control systems are compromised; hospital patients dying because the hospital computers are encrypted by an ‘Internet Worm’. In 1990 such things were hardly considered; in 2000 only science fiction writers worried about them; in 2010 we started to see real problems; and by 2019 most people have personally encountered the risks and dangers of software security problems. They’re right to be worried.
Clearly software developers can have a part to play to keep software users from harm. In this book, I will show you how we can do this, alongside what helps a development team – programmers, testers, managers and product managers – to achieve security without compromising all the other demands on ourselves.
You can read this book online, by following the links on this site. Or you can get a Kindle e-book version by clicking on the link below:
Or you can download a PDF file and read it offline, using the link below:
Six years ago, I was running Penrillian, a 20-strong company devoted to creating leading edge software for mobile phones. Penrillian's customers were mainly mobile operators (‘carriers’), and we were delighted to receive the commission to produce the first commercial Android mobile money application. Our knowledge of software security was sketchy, so naturally we went to the internet to learn how to tackle secure software development. We found a good deal of information on how to use low-level APIs correctly; instructions how to sign apps; and a lot of horribly-detailed descriptions of ‘All The Things That You Might Do Wrong’.
Nowhere could I find a friendly step-by-step introduction to creating and verifying software design that would satisfy a given set of security needs. I was horrified at the omission, and when I had the opportunity to return to the academic life, he joined Security Lancaster and chose this as an area to study.
Two years later, NCSC, the government agency tasked with improving Britain’s cybersecurity, challenged the Developer-centred Security team at Security Lancaster to research interventions for software developers. They asked what would make a good intervention to help a software development team achieve better security; how would such an intervention work with different types of team and culture?
To find the answers, I first asked a range of some of the most successful people working to help software developers produce secure code, and analysed how they did it. I looked for positive approaches – most security experts love discussing attacks and failures, so this was harder than you might expect!
Based on that analysis, I put together a package and have been trialling it on a variety of development teams; I call this package ‘Developer Essentials’. I’ve conducted highly-structured trials with several companies and improved the package from the results. This book describes both the Developer Essentials package, and explains why each step is important, and how you might want to take it further.
My mission with this book is to help you to get your team good enough at software security, with minimum effort and even, perhaps, a small amount of fun.
This book is designed so that sections can be read in isolation, it isn't necessary to read the whole book at once. Each section takes less than five minutes to read, and covers one step on improving the security of the code delivered by a development team. You can get to each one individually through the buttons on the left-hand side of each page, or you can read them in order using the buttons at the end of each page. Each has some introductory explanation, instructions on how to incorporate it into Developer Essentials, followed by a discussion of alternatives and different ways to implement it. Most sections also have amusing illustrations by cartoonist Noel Ford.
If you’re planning to run the Developer Essential package yourself, we recommend reading all the ‘Developer Essentials’ sections before you start, as some are introduced within other steps. For example, Component Choice is something for the Developers to consider themselves in the Risk and Cost workshop. If you’re interested in a wider view, then read the whole of each step.