So, you’re working with a software development team. Perhaps you’re a technical lead, perhaps manager, perhaps an external consultant, or best of all perhaps a team member with inspiration. You know it’s vital that the team – developers, testers, product managers and all – address software security properly. What do you do next?
You look to the literature, and find that oddly enough there’s very little available. There are lots of books and websites terrifying you with all the things that can go wrong; there are one or two draconian-sounding ‘secure software development processes’. But where’s the ‘dummies guide’? Where’s the ‘easy introduction to software security for people who’ve other things on their mind’?
Well, perhaps it’s here! This guide is based on several years’ research by the authors, firstly leading secure development projects, then interviewing a wide range of software security experts. And so, based on the experience and a good deal of reflection and discussion, we’ve produced a step-by-step guide on what to do to help a professional development team get up to speed. There’s science behind it too: our paper on these techniques is here.
This handbook is to help you learn. We provide quizzes to help you learn, and practical exercises to do. There are many excellent resources out there to help, and we provide links to some of them too.
In this handbook we introduce a six-step plan of activities to help any software development team improve. If you’re doing all of the activities already – congratulations, you’re well on the way to good software security. If you’re not, read on!
The six activities are:
1. Incentivisation Event
2. The Threat Model
3. Component Choice
4. On-the-job Training
5. Static Analysis
6. Continuous Reminder
We’ll explore these in short ‘chapters’, on different pages in this website.
Secure development involves a range of people: programmers, testers, project managers, product owners and perhaps other roles. Throughout this handbook, we’ll refer to all of them as ‘developers’.
We’ll also include quotations from experts. And much as we’d like to give full credit, the quotations come from interviews done on condition of anonymity – so instead we have cited the role of the speaker.
This guide will continue to develop. Some sections are currently rudimentary; we’ll improve them. As people tell us what’s wrong and what can be done better we’ll incorporate their ideas.
We're positive people... One of the most frustrating things we found encountering books and writing on security is how negative everything seems to be within them. Security experts continuously harp on ‘bad things that can happen’ and ‘things you must not do’; even their most positive contributions tend to be “this clever way I’ve found of making bad things happen to you”. As software developers ourselves, we reacted against this: please don’t tell us what not to do – tell us how to do it right. And there the experts were silent; there were a few terrifying Secure Development Processes, and little else.
So in our research we decided to look for the positive: positive things developers can do to improve matters. We asked experts what were the positive things they did with developers to improve security. The experts told us a range of effective such ‘interventions’ used in companies and teams successful at software security.
But in our research we wanted something even more positive – techniques that would suit almost any development team. Some of these interventions identified by the experts were successful, but expensive: penetration testing, for example, requires skills that are hard to find. So we offer these with a health warning - a few techniques are only for those who need to spend money on security. Most, though, work for everyone - as we'll show, starting here.