free page hit counter
Click the banner for the site map of NoticeBored.com, the information security awareness service
Security-SDLC integration resources

There are 2 ways of constructing a software design

Software development processesRead the book review

Worth a good look Lessons Learned in Software Testing (~$27 from Amazon) is recommended reading for sentient software testers plus project managers and IT auditors. Read our book review here.

Worth a good look The Tasmanian Government’s project management guidelines are strong on project governance and control, and are well worth a look.

New hot OWASP’s WebGoat is a deliberately insecure web application designed to teach web application security through a series of 25 hands-on lessons. The underlying code can be examined to gain a better understanding of the vulnerabilities. OWASP has other resources and courses to help developers understand the nature of web hacks in order to code more securely.

Hot stuff! If your organization develops software, especially mission-critical software, your business analysts, project managers and developers should all be well aware of information security. In fact, information security should be an integral part of the development process. This guideline from the US Department of Justice is an excellent example of how information security should be taken into account at every stage of the system development lifecycle. Some other development methods refer to information security but seldom in such a comprehensive fashion.

A bold plan by Britain’s National Health Service has seen billions of pounds expended to date on an ambitious IT system, the National Programme for Information Technology (NPfIT). As is so often the way with huge politically-motivated IT strategies, the programme slipped and overspent and the quality or suitability of the system was in doubt. An unreliable IT system that cannot be trusted to manage patient data and puts lives at risk could certainly be considered a security risk. Read this comprehensive dossier compiled by a group of 23 outspoken academics and journalists to judge for yourself.

NIST Special Publication 800-64 explains Security Considerations in the Information System Development Life Cycle.

“Scope creep - stage three of the standard software development model” (from The Devil’s Infosec Dictionary)

The Information Security Forum’s Standard of Good Practice has some good advice in the software development section (and elsewhere for that matter!).

Secure software development by example in IEEE’s Security & Privacy magazine is a handy overview of security’s role in the systems development lifecycle.

Trac is a collaborative/open source project developing the use of Wikis to manage IT changes. The idea seems attractive for organizations whose software developers have the professionalism and integrity to keep the Wiki updated and in line with their development activities.

It has been estimated that it is about 200 times more expensive to fix a problem when an IT system is in Production compared to fixing at the requirements analysis step during Development. The factor falls to about 4 for small IT projects but can exceed 500 for very large projects. Even if these figures are only vaguely close to the truth, the implications for quality assurance processes in IT development are crystal clear, as are the benefits of splitting massive projects into discrete sub-projects.

Secure coding practices and tools

Best Practices for Secure Development is a little old but the advice is still sound. “Inasmuch [sic]as a software project does not start with coding, building security into an application does not start by implementing security technologies. We will suggest an approach recommended by the existing risk management and software building practices.” The paper goes on to discuss security aspects up to implementation, stopping short of security operations, controls maintenance and security aspects of end-of -life system retirement/replacement.Click me to buy me on Amazon

 

 

SecureCoding.org promotes an O’Reilly book of the same name published in 2003. A mailing list is also available.

 

 

 

Build Security In (BSI) is an interesting initiative from the US Department of Homeland Security (DHS) and Carnegie-Mellon University’s Software Engineering Institute (SEI) to help software developers produce more secure code, offering source code analysis tools, advice on data integrity checking and so on. Well done to BSI for sharing this with the wider community.

An international project team has constructed and released a scheme for classifying security threats to web applications with the stated intention of promoting an ‘industry standard terminology’. Whether or not this aim is met, the table of threat types also makes a useful checklist for application designers, security architects and testers to make sure they have taken due account of all the most likely forms of threat. The Microsoft developers’ security site carries plenty of advice including threat modelling - a structured way to determine the threats that may apply to your applications.

Whereas we normally emphasize the importance of human factors in information security, application testing is one area where technical security measures are relatively underdeveloped. Manual testing is tedious, slow and error prone, but still necessary. Automated testing reduces the tedium and increases the coverage. The combination of a good test suite in the hands of experienced security testers is unbeatable. Wikto is a free web application security scanner. SPIdynamics offers a free 15-day trial version of their web application security tool WebInspect. Security testing web applications is a difficult task - automated testing tools reduce the tedium and make more details and sophisticated testing possible. Appscan from Watchfire is another application security test tool, and Cenzic is another.  Acunetix web vulnerability scanner is a tool to test the security of your website by simulating common attacks such as cross site scripting, SQL injection and more. Identify vulnerabilities in your web applications off-line before the on-line hackers do their worst!

SPI Dynamics supplies a range of application testing tools and has a useful collection of white papers about software quality and other bug-related issues.

A review of ‘source code assessment tools’ in Secure Enterprise magazine focused on 12 products designed primarily for locating security vulnerabilities.

Here’s a C source code analyzer.

Nevertheless, if you are testing web application security manually, try this checklist of simple things to check.

The New Zealand Herald’s Willy Trolove wrote a brilliant parody of a typical bank’s promotion of Internet banking as ‘almost completely safe’, complete with get out of jail free clauses. It’s a good reminder about the difficulties of balancing the benefits of information security controls against the practical costs for system users.

Cross Site Scripting (XSS) involves vulnerabilities in the ways dynamic data are passed between browser and webserver.

Related NoticeBored links collections

Bugs!, change management and database security

NB: we do not necessarily endorse or agree with the third party websites accessible through the links. Use at your own risk. Please let us know about new or broken links..
NB homeLinks collection > Secure development >

Copyright © 2008 IsecT Ltd.