As organizations and team shift security left, developers and architects acquire more responsibility to build secure systems from the outset. But what's the first move for developers (aside from the important cultural shift that needs to happen throughout the organization)? Where should developers look to learn security basics and best practices, or ensure that their existing security knowledge is strong enough?
Many “secure coding” resources and training courses are actually more focused on ethical hacking and penetration testing—disciplines that are fairly separate from software development. Do the developers on your team have the time to learn a whole new technical field?
The resources below are not for people making a career shift to application security engineering. Rather, this list is a starter kit for developers who want to get better at writing code more securely the first time around—to catch vulnerabilities before the code goes to production.
Here's TechBeacon's developer's security guide, covering ranging topics from fundamental security principles, key security risks, and secure code delivery to threat modeling, and defensive coding. There is also a list of mostly free security training courses for developers.
Application security (App Sec) fundamentals: A good starting point
The Basics of Web Application Security
This article on web security basics, by Cade Cairns of ThoughtWorks and Daniel Somerfield of New Relic, identifies eight security considerations when building web apps, from handling unexpected form input to protecting user sessions, and how to address each.
Security and Identity — Google's Web Fundamentals
This article on the Google Developers' Web Fundamentals site helps you understand and implement HTTPS and Content Security Policy (CSP). You'll also learn how to detect whether your site has been hacked and what to do about it.
What should every programmer know about security?
The responses to this question posted on Stack Overflow give you a good list of key security principles, with links elaborating on some of them. These principles include "never trust any input," "fail securely," "use defense in depth," "adhere to the principle of least privilege," and "use threat modeling." Answers also include lists of books and training courses. The top answer is fairly recent, with subsequent answers ranked by popularity so you don't waste time on things the community doesn't think are worthwhile.
Security by Design Principles — OWASP
The Open Web Application Security Project (OWASP) community created this resource so that architects and solution providers could get the guidance they need to produce secure applications at the design stage. It takes key security principles, defines them, and gives examples. You'll learn ten principles in total, including "minimize attack surface area," "fail securely," and "avoid security by obscurity."
Writing Secure Code
This often-recommended classic book was written by Microsoft security engineers Michael Howard and David LeBlanc. Along with secure coding techniques, the book covers threat modeling, designing a security process, international issues, file-system issues, adding privacy to applications, and performing security code reviews. Jim Bird, CTO at BIDS Trading Technologies, says that while the book is 15 years old, "the fundamentals of software security don't change."
Key security risks and how to fix them
The OWASP Top 10
The OWASP Top 10 lists the most common security risks in web applications, according to surveys of the security community. While some developers may be tired of hearing about the Top 10, there's a good reason security experts consider it one of the most important secure coding resources. "There are still more devs that do not know what the OWASP Top 10 is versus those that do know it," says Chris Romeo, the founder of Security Journey, a developer security training consultancy. "The OWASP Top 10 is the most foundational application security resource, so every developer shouldn't just be familiar with it; they also need to understand and apply it." The list was updated in 2017, but it hasn't changed much in over a decade. Developers may be tired of security experts constantly talking about this list of usual suspects, but it makes sense that you shouldn't worry about preventing obscure zero-day flaws if you're still not blocking SQL injection, session capture, or cross-site scripting (XSS).
The OWASP Top 10 Mobile Risks
OWASP also has a Top 10 list for mobile-specific security risks. Click on the text in the green boxes for threat agents, attack vectors, security weaknesses, technical impacts, and business impacts for each risk. Many of the risks come from not using the platform security features and controls available in Android and iOS. Mobile security requires its own unique line of research, so in addition to reading these resources, make sure to do your homework for your specific situation.
24 Deadly Sins of Software Security
Written by Microsoft's Howard and LeBlanc, with John Viega, CEO of Capsule8, this book focuses on the usual suspects when it comes to security flaws in your code. You'll recognize some from the OWASP Top 10, but the authors include several common flaws that aren't in the Top 10 list.
OWASP Top 10 Proactive Controls
Consider this a key resource for learning how to write secure code. Many resources and training courses focus on showing you how your code can be attacked and telling you what not to do. This is a list of things you should do to secure your code. Bird, of BIDS Trading Technologies, says this is an excellent resource, and the most recent release incorporates substantial community feedback.
Common Weakness Enumeration (CWE)
MITRE Corp.'s Common Weakness Enumeration is a community-developed list of common software security weaknesses. The list includes over 700 weaknesses that can be viewed by research, development, or architectural concepts. It's also useful for developers who want to learn about the Common Vulnerabilities and Exposures (CVE) list, which appears in the National Vulnerability Database.
The secure coding lifecycle
DevOpsSec
Knowing basic secure coding is great, but you also need to know what tools and processes can ensure that your code stays secure throughout the software development lifecycle. This book by BIDS Trading Technologies' Bird, gives you a clear, practical picture of several modern secure-lifecycle tool chains and processes inspired by Etsy, Netflix, and other technically strong, highly successful companies. Bird also recommends bookmarking this poster that he helped write on the secure DevOps tool chain and secure web application technologies.
Agile Application Security
This book, by Laura Bell, Rich Smith, Michael Brunton-Spall, and Jim Bird, offers a massive expansion on the topics in DevSecOps that prepares you for many technical and organizational challenges you'll encounter while building secure software, such as security requirements, secure design, security culture, security testing, and secure coding.
OWASP Code Review Project
Code reviews are an important step in catching security vulnerabilities before your code moves forward in the delivery pipeline. Learning how to look for vulnerabilities will improve developers' chances of never writing them in the first place.
Threat modeling for developers
How I learned to stop worrying (mostly) and love my threat model
Threat modeling is something that even nontechnical folks in your organization can figure out. Sean Gallagher, security editor at Ars Technica, wrote this easy-to-understand article about threat modeling so that everyone can get on the same page when it comes to figuring out the biggest risks to your software. While the OWASP Top 10 is great for general concerns, your application's specific top risks may be different.
OWASP Application Threat Modeling
OWASP offers a comprehensive technical resource on threat modeling. The three high-level steps in its process for threat modeling are:
- Decompose the application.
- Determine and rank the threats.
- Determine countermeasures and mitigation.
The guide dives into each of these steps so that you can adapt them to your own threat modeling sessions. The OWASP threat modeling cheat sheet is also worth a review. Johanna Curiel, a security developer and evangelist in the banking sector, recommends OWASP's scores of cheat sheets that cover a range of security topics, including the secure software lifecycle, PHP security, iOS security, Android security, XML security, SAML security, and more.
Developer-Driven Threat Modeling
This article by Danny Dhillon, a principal security engineer at EMC, explains why developers need to lead the threat modeling process. He describes EMC's unique approach to threat modeling and why that process had to be usable even by software engineers who lack security expertise.
Threat Modeling for Applications
Adam Caudill, a security consultant and researcher, shares a simplified threat modeling process example that's quick and easy to define and document.
Defensive coding (as it relates to security)
Defensive Programming
Defensive programming isn't necessarily a secure coding practice. Its general purpose is to make code more resilient in the face of unexpected behavior, but it's something developers should definitely understand if they want to ensure that their code is resilient toward attacks as well. This introduction to defensive programming reviews the history of the term, examines disagreements about the definition, gives an archetypal example of defensive programming that occurs in most C programs, and even discusses problems with defensive programming.
The Defensive Coding Guide
This technical guide to defensive programming includes examples in C, C++, Java, Python, Shell/Bash, Go, and Vala. The guide, from Red Hat, also includes tutorials and examples for eight programming tasks and instructions on how to implement security features such as authentication and authorization, Transport Layer Security (TLS), hardware security modules, and smart cards.
The Secure Coding Guide
While Apple aims this resource at iOS and macOS developers, a lot of the information and advice is universal. Some of the sections cover elevating privileges safely, avoiding common security vulnerabilities, designing secure UIs, and writing secure helpers and daemons.
The Art of Defensive Programming
Diego Mariani, a software engineer at language-learning site Busuu, compiles several old and modern ideas about defensive programming into a quick post with PHP examples. He compares defensive programming to defensive driving—the assumption that others around you are going to make mistakes, and you should prepare for that. The article covers key points in secure defensive programming such as SOLID principles, testing, and not reinventing the wheel.
General security training and courses
SAFECode
SAFECode is a treasure trove of security resources that includes free online training, a guide to tactical threat modeling, secure development guidelines, and a blog. The training modules cover the security development lifecycle, system hardening, secure cloud development, and other topics. SAFECode includes many free, high-quality resources, and its Fundamental Practices for Secure Software Development document was recently updated.
Cyber Security Base
This free online course is a great starting point for learning secure coding. It starts out with basic cybersecurity concepts and common web app vulnerabilities, then moves into vulnerability discovery, mitigation, and creation. From there it moves on to advanced topics such as secure architecture, network security, cryptography (don't roll your own), penetration testing, and capture-the-flag (CTF) games. The course includes quizzes and assignments for each section, and all code examples are in Java (although you can do the assignments in the language of your choice).
SEI CERT Coding Standards
Carnegie Mellon University's Software Engineering Institute (SEI) gathered these useful rules and recommendations that reflect current thinking in the secure coding community. You'll probably find some errors and incomplete resources here, since this is an ongoing project (you'll run into incomplete resources at OWASP.org, too). Check out the secure coding standards for C, C++, Java, Perl, and the Android platform, and be sure to read the Top 10 Secure Coding Practices.
Cybrary
This open-source, crowd-sourced platform for security training and certification preparation also has virtual labs and other resources to get you ready for certifications including CompTIA, CISA, CISM, CISSP, HIPAA, and PCI/DSS. The content is free, but it includes vendor-provided materials and advertising from a large group of security tool vendors.
Open Security Training — Intro to Secure Coding
Inspired by OpenCourseWare and the Khan Academy, OpenSecurityTraining.info is an open-source, Creative Commons-licensed website filled with training materials for one-day classes on various computer security topics. You'll find a primer on secure coding strategies, along with many other topics; games; and a list of external resources. The training includes introductions to vulnerability assessment, secure code reviews, cryptography, software exploits, and more.
Computer Systems Security — MIT Open Courseware
One of the surest ways to get a foundation in security is to take a college course such as this general one from MIT. The syllabus covers threat models, common exploits, network security, authentication, mobile security, security economics, and more. While the academic approach to security isn't for everyone, practical training isn't useful unless you already have the fundamentals down. You'll find similar security courses at Harvard edX, Stanford Online, and Coursera.
SANS
The SANS Institute is similar to OWASP, but the security topics it covers go beyond just the developer audience. The site has free resources for developers and many fee-based training courses, including a program aimed specifically at building security awareness in developers from the ground up.
My experience with developer security training
Before you or your manager decides to mandate or pay for any developer security training, read this article by Robert Auger, co-founder of the Web Application Security Consortium. It tells you how to spot crappy training and how to build a training plan that developers will remember and appreciate.
More resources to start learning secure coding
If you're looking for active communities of security engineers and developers who are interested in security, visit the NetSec subreddit, and get your questions answered at the Information Security StackExchange. If you're just starting your research into secure coding, the NetSec students subreddit is good reading, as are the NetSec and NetSec-students "getting started" wiki pages.
If podcasts are your thing, listen to this conversation with Contrast Security vice president of engineering Steve Feldman, who discusses how developers can build awareness of patterns and defects that can lead to security vulnerabilities. Finally, for an ongoing podcast series about security in software engineering, listen to the security-tagged episodes of the Software Engineering Daily podcast. It publishes a security episode about once every month.
Do you know of other great resources for developers who are learning to write more secure code? Share them in the comments below.
Keep learning
The future is security as code. Find out how DevSecOps gets you there with TechBeacon's Guide. Plus: See the SANS DevSecOps survey report for key insights for practitioners.
Get up to speed fast on the state of app sec testing with TechBeacon's Guide. Plus: Get Gartner's 2021 Magic Quadrant for AST.
Get a handle on the app sec tools landscape with TechBeacon's Guide to Application Security Tools 2021.
Download the free The Forrester Wave for Static Application Security Testing. Plus: Learn how a SAST-DAST combo can boost your security in this Webinar.
Understand the five reasons why API security needs access management.
Learn how to build an app sec strategy for the next decade, and spend a day in the life of an application security developer.
Build a modern app sec foundation with TechBeacon's Guide.