I make no secret of the fact that my first interest in security is around the online product side of things. So easy to get completely wrong and the same old lessons are continually being relearnt. I used to take a smug satisfaction in showing developers how easy it could be to find the flaws in their code. Laterly, it’s frustration because I still see the same errors being made and I still find a reluctance within development groups to make use of some of the excellent resources there are online that serve to educate and help solve the problems.
Here are the best ones:
OWASP at www.owasp.org. Still the number one product security resource. Continually updated and loads of useful projects in progress.
Foundstone’s free tools and resources at http://www.foundstone.com/us/resources-free-tools.asp. The old HackMe Bank application is joined by variety of others that enable developers to learn about security across a variety of platforms. Essential resources and free!
Microsoft Application Security Developer Center at http://msdn2.microsoft.com/en-gb/security/default.aspx. If you’re developing using Microsoft toolsets and not making use of this resource then you are a fool goddammit! I’m also a big fan of the Threat Modelling tool (see my blog from earlier in the year). Yes, it’s time consuming to get it right but then so is fixing security holes.
Don’t get me wrong, I’m not saying that any of these resources are the solution to online security problems. The writing of the code is but one part of a process that begins with a product being defined and scoped and business analysis being performed. Security needs to be baked in from the start. There’s much more of about this in the excellent book “The Security Development Lifecycle” (Microsoft Press ISBN: 978-0735622142 ).
Anyway, even the best of us can make daft code errors…some years ago whilst working within a large web development team I noticed that somebody had left in some debug code that displayed the complete database connection string, including password, on the web page. Worse still, the code had already been deployed to the production web server. I initiated an investigation and performed an audit of the Source Safe records only to find that the offending debug code was, in fact, mine….