Tangible Bytes

A Web Developer’s Blog

Infosec for Web Developers

The web is not secure enough. Every day we hear stories of sites being hacked, businesses and lives ruined.

As an industry we have to do better.

First we need to study common issues, security standards and processes.

It also helps to try a little ethical hacking to see things from the other side.

Start here

We should all be familiar with the OWASP top ten which is a great starting point for being aware of the most common issues.

Every developer needs to read this list on an annual basis - and make sure there aren’t any surprises there.

Detailed Rules

OWASP Application Security Verification Standard

Even if your company doesn’t use this standard - I think it’s a great place to learn what good practice looks like.

If you are a security conscious developer you will likely run into situations where you run into conflict with someone who wants to meet a business need or a deadline - in which case it really helps everyone oif you can supply a strong reference and not just your opinion.

That way the business can make an informed decision (which won’t always be to do the secure thing)

As an example this document has requirement 2.1.5 “Verify users can change their password” (which is in level 1 of the standard)

It references CWE 620 and NIST

This makes for a much easier conversation about adding a security feature.

Going Further

To really build secure apps - you need security built into the heart of the development process

OWASP Software Assurance Maturity Model (SAMM)

The mission of OWASP Software Assurance Maturity Model (SAMM) is to be the prime maturity model for software assurance that provides an effective and measurable way for all types of organizations to analyze and improve their software security posture.

You also need to test for security

OWASP Web Security Testing Guide

But this is really going into the realms of teams and managers - something for individual developers to be aware of and to support, but not something you can really do on your own.