Thursday, January 5, 2012

How Developers Can Secure their Code?

5 Application Security Tips

Over the last 30 years, many organizations have done an amazing job of automating their business, resulting in productivity gains, efficiencies and innovations.

Unfortunately, the threat landscape has changed dramatically during this time. A lot of that application code, written without security in mind decades ago, is still the heart-and-soul of many enterprises. That code was designed for a world where computers could not be accessed remotely.

Since then, it has been wrapped, integrated, connected, ported, and most importantly, exposed. That application code is not strong enough to withstand today's threat.

OWASP has a number of free and open-source resources that developers can use right now to help secure their code.

5 Tips for Developers

Start with the OWASP Top Ten
- This awareness document will help you understand, identify, and fix the most critical application security risks quickly.

Get hands-on with WebGoat - WebGoat is a deliberately flawed application that is riddled with holes to give people the opportunity for hands-on learning. It is open-sourced to help developers and security testers get experience with real vulnerabilities.

Leverage the OWASP Cheat Sheets - This is a fantastic series from leading experts globally. Let me know what you think of the Cross-Site Scripting Prevention Cheat Sheet, one of OWASP's most popular pages.

Verify Your Applications - There is no substitute for getting real facts about the security of your application portfolio. OWASP Application Security Verification Standard helps developers get started scanning, testing and code reviewing with tools like OWASP Zap and CSRFTester.

Get Training - Perhaps the hardest thing about application security is that there are so many different ways that software can fail, particularly when it's targeted by a motivated attacker. The key is training to get started with securing applications quickly.

If instructor-led training isn't possible, eLearning solutions are available to allow developers to learn on-demand and get hands-on, practical experience with vulnerabilities, security controls and real code. Training is a remarkably effective way to reduce vulnerabilities.

Before you trust your business to application software, make certain that the people who are writing your code know how to defend your business and its assets. It's time to learn.

No comments: