Next steps in developer security

On this page, we have gathered some resources for development teams to help improve security. We address each assurance technique in turn. Note that we may receive  a token commission on referrals.

Automated Static Analysis

OWASP have a huge list of tools; G2 and  Analysis.dev attempt recommendations; 

Thomas Scanlon offered suggestions how to choose.

 

Configuration Review

Techbeacon suggests options and guidelines. Also consider Whitesource.

Penetration Testing

The UK Industry body for penetration testers, CREST lists its approved suppliers here, including support worldwide.


Threat Assessment

There is a description of this vital activity here; and detailed instructions in the second DSE workshop materials. Other approaches include anti-personas, attacker stories (Agile Application Security, Ch 7), and Adversary Personas.

Automated Penetration Testing

Two tools lead the market for testing websites: Detectify and Acunetix. Other tools will be on OWASP's list (though this includes many tools that require professional skills to use).

Code Review

Checkout Michael Lynch's article on checking reviews here. We have guidelines and resources here. The book Agile Application Security has a chapter.  


Team-based Assurance Techniques

The activities Product negotiation, Contingency plan, Security champion, Standardisation, and On-the-job training are team-based. For support on them we recommend the resources below.

'Agile Application Security' is the book we wish had been there when we first looked for software security advice. It provides a good introduction on software security for application developers, and to agile software development for security experts, and explores a range of issues. Though it assumes that there are security experts available to work with each development team, is easy to read, and contains invaluable practical advice and some recommendations on practical tools to use.

Agile Application Security: Enabling Security in a Continuous Delivery Pipeline, by Laura Bell, Michael Brunton-Spall, Rich Smith, and Jim Bird. O’Reilly Press 2017.   

'Threat Modelling' sets out and achieves to be the definitive guide to threat modelling. Based on the author’s extensive experience at Microsoft, it’s targeted at security experts, and assumes more technical knowledge than many software developers will have; but the writing is approachable to anyone, and this is definitely a book to have on your shelf.

Threat Modeling: Designing for Security, by Adam Shostack. Wiley 2014

The standard online starting point for 'technical security' aspects of code:

OWASP Top Ten Application Security Risks 

Though not specific to software development, this monthly email of links to security-related news stories is one of the most widely-used resources for software developers who want to keep up to date with security issues.

Schneier on Security

 

Supported by these, you can have a state-of-the-art knowledge of the best ways to achieve software development security. 

 

May success attend your efforts! And please let us know how you get on, and what might help us improve this work for other readers.

 

 - The Developer Security Essentials team