Further Reading

In this, the final section of the book, let us consider some resources for software developers to learn more about security. Here are six of the best.

Agile Application Security is the book we wish had been there when we first looked for software security advice. It provides a good introduction on software security for application developers, and to agile software development for security experts. It then explores a range of issues in much more detail than we have in this book. Though it assumes that there are security experts available to work with each development team, is easy to read, and contains invaluable practical advice.

Agile Application Security: Enabling Security in a Continuous Delivery Pipeline, by Laura Bell, Michael Brunton-Spall, Rich Smith, and Jim Bird. O’Reilly Press 2017.   

This book sets out and achieves to be the definitive guide to threat modelling. Based on the author’s extensive experience at Microsoft, it’s targeted at security experts, and assumes more technical knowledge than many software developers will have; but the writing is approachable to anyone, and this is definitely a book to have on your shelf.

Threat Modeling: Designing for Security, by Adam Shostack. Wiley 2014

These papers explore the knowledge set out in this book in more detail. While they are not written for software developers, they provide a foundation for the advice in this book.

Developer-centred Security Papers from Security Lancaster

This book describes a set of ‘anti-patterns’ for software developers. It explores each kind of security flaw, with examples, explanations of why they’re problematic, and references to the security literature around them. This is a book to dip into rather than read, but it’s worth having on your shelf.

24 Deadly Sins of Software Security: Programming Flaws and How to Fix Them, by Michael Howard. McGraw Hill 2009. 

 

The free online and updated version of the above.

OWASP Top Ten Application Security Risks 

Though not specific to software development, this monthly email of links to security-related news stories is one of the most widely-used resources for software developers who want to keep up to date with security issues.

Schneier on Security

 

Supported by these, you can have a state-of-the-art knowledge of the best ways to achieve software development security. 

 

May success attend your efforts! And please let us know how you get on, and what might help us improve this work for other readers.

 

 - Charles and the Security Lancaster team.