The truth of the matter is, you have no idea what will happen to your code once your application is released. Your code may be used again down the line, it may be altered – and it will most certainly be used in ways you never imagined. Can you start to see why security does actually play an important role in organizations which develop applications?
Luckily, if you’re in a position where you interact with code, you have a direct way to help better secure our applications and devices. And with that power comes responsibility – the responsibility of playing your part in helping secure the world’s software.
To help get those working with code a boost in your security education, we’ve curated a collection of application security resources to assist any developer, wherever you are on your journey into the arduous (yet rewarding) world of application security. Because when it comes to Application Security, your education is never complete.
And if you’re part of the security team, consider sharing this collection with your colleagues on the development teams – you just might help spark a conversation about secure coding!
The first place to start with application security is with OWASP. If you’re not familiar, OWASP stands for the Open Web Application Security Project, a non-profit, international organization dedicated to spreading security awareness and offering resources to help all parts of an organization get involved in the application security program. (Read more about what OWASP is all about here.)
The OWASP Top Ten is a “powerful awareness document for web application security,” and represents the most common and critical security flaws. It’s recommended that all organizations adopt the OWASP Top Ten, as it offers a simple way to get the ball rolling on application security within your organization.
After absorbing the Top Ten vulnerabilities you should be working to avoid in your code, the next stop is the OWASP Top Ten Cheat Sheet, which details the best practices and techniques you should instill while coding.
Microsoft has amassed a collection of resources over the years to help its own developers, and the community at large, write secure code. The company was an early adopter of integrating security into their SDLC, or the SDL, as they call it, and have gathered valuable information, best practices, and techniques that can be found in this resource.
Developed by ISC, this printable PDF offers ten best practices that organizations should be on the lookout for as they develop applications. While the sheet is aimed for security managers, it’s an important read for developers, too. Learning the ‘why’ behind application security will help you understand why the secure practices you’re putting in place while coding are essential for the overall health of your organization.
A comprehensive overview for of web application security, this guide delves into the most common security issues in web applications and offers both the techniques to preventing such mistakes – and the rationale of how, if the vulnerability stays in the code, an attacker could use it against the application.
The guide is printable, and acts a great tabletop resource for when you have a specific question about a certain issue or practice. In addition to the online guide, a checklist is provided to help guide developers through the security process as they code. Also printable, the web application security checklist is a great way to ensure your code is on the right track.
No matter how much expertise in the area of application security you have, there is no better resource or place to turn than OWASP. For newbies, it’s imperative you familiarize yourself with OWASP’s numerous resources, and the cheat sheets offer digestible tips about the security issues you should aim to understand and help prevent. With a section dedicated as cheat sheets for the builder, or developer, bookmark these OWASP cheat sheets for a quick stop as you code and review what you’ve built.
Bonus: A PDF version that makes finding what you need even easier.
Aimed at those developing web applications for Mozilla, the guide is another universal resource for achieving security in applications. The guide sets forth best practices based on Mozilla’s own experience in securing web apps, so it’s a valuable resource to check out when trying to implement security features and reviewing your code.
This resource is maintained by CERT, the federally-funded research and development group that’s housed and associated with Carnegie Mellon University, so you can be sure you’re getting up-to-date and effective information. The collection of standards includes one set of general best practices, and then drills down into the best practices for languages including C, C++, Java, Perl, and Android.
There are going to be times, many times even, where you’re stuck with a security question that you can’t seem to find an answer. Fear not, because you’re not the only one. Stack Exchange offers a community just for security questions. Sign up today and remember you are not alone!
This article from Paragon offers a great high-level overview of what AppSec is, why it is important, and offers a “Taxonomic model” for security vulnerabilities, grouping security issues into classes with similar ‘features.’ It’s a different way to look at AppSec, but it teaches developers to look at the fundamental problem behind the vulnerabilities, as opposed to just checking if the issue exists and fixing it without giving it a second thought.
Breaking down the different types of cross-site scripting and the best ways to deflect each of them while writing code, this article (by yours truly) also includes a downloadable, printable guide of the do’s and don’t of XSS. Perfect to keep close by as you learn more about looking out for possible XSS issues.
28 Sites to Legally Practice Your Hacking Skills
When learning application security, it’s crucial you get a taste of the “dark side” in order to be more effective as a builder and defender. Once you’ve learned the basics of AppSec, it’s time to try your hand at attacking the type of applications you code. Without understanding how attackers really work and the common methods of entrance they use – and seeing how it’s done for yourself – it’s hard to see the code in any other way than what your intention was for it. But that’s not how attackers think…
Application security is a moving piece of the security puzzle, and staying up-to-date with appsec news and research is going to be important as you get more involved in security at your organization. To make sure you know what’s going on, so that you don’t miss the next Heartbleed or Shellshock, follow the security blogs we listed in this article.
Videos & Presentations:
Offered as part of one of MIT’s Computer Science classes, this presentation is a great high-level overview of the importance of web application security, with examples of the most prevalent security issues and how to keep them out of your own code.
This talk, given by Michael Coates (@_mwc), who is now the Trust and InfoSec Officer at Twitter, dives into security issues all developers will see in their lifetime and shows you how attackers will use those vulnerabilities to hack your site or application. It’s a highly informative talk and gives a great lesson for using WebGoat, OWASP’s own vulnerable web application.
In this talk given by OWASP board member Eoin Keary (@EoinKeary) attempts to answer the question “Why are we still happy with ‘testing security out’ rather than the more superior ‘building security in’”? It’s an interesting topic, especially if you’re not familiar with different security techniques like pen testing.
If you’re not quite sure how security is done in your organization, Eoin offers a look at the old, traditional way of manual testing late in the SDLC as well as the modern way of application security, which, you guessed it – involves developers helping integrate security earlier in the SDLC by learning secure coding practices. Slides to Eoin’s presentation can be found here.
Unfortunately, the channel hasn’t been updated in a few years, but the content and topics covered – SQL, XSS, and the importance of using HTTPS – still continue to be relevant today. The first episode is a primer for the series and for what Application Security is all about. If you’re into learning through videos, this channel is a great place to start learning the fundamentals of application security.
Developing mobile apps? You’ll want to watch this hour-long presentation on recent research and secure techniques against the most common attacks to mobile apps. Given by Carnegie Mellon University professor Norman Sadeh, this talk is chock full of interesting tidbits on the world of mobile applications and the importance of keeping them secure.
Another great resource for developers coding mobile apps, this OWASP presentation paints ‘the big picture’ in terms of what attackers are going after and why, and offers pointers to defend the code you worked hard to create.
This talk was given at DefCon 17 by Joseph McCray (@j0emccray), who was a network pentester at the time but is now CTO at Secure Ninja. It’s an extensive look at SQL injection in various environments and how to deal with different types of the nasty yet entirely avoidable security bug. Joseph’s an entertaining speaker, making this talk fun and informative at the same time – the best way to learn about application security.
If you’re on a DevOps team, this video is for you. James Turnball (@kartar), CTO at Kickstarter, offers a primer to how to get along better with the security team. DevOps environments can seem impossible to control, but given the right tools and a strong collaboration between DevOps and Security teams, securing your applications can be done right. James gives an entertaining look at how to do it in your own organization.