Software Development Security - Paiet/Tech-Journal-for-Everything GitHub Wiki

Software Development Security Pt1

  • Best practices during software development

  • Security requirements definition

    • What are my organization's specific requirements?

  • Security testing phases

    • Static code analysis
      • "White box" testing
      • Full code accessibility
      • Automatic testing
      • Manual review
    • Web app vulnerability scanning
      • Looking for common web app vulnerabilities
        • XSS, SQLi, Command Injection, LFI/RFI, directory traversal, data leakage
    • Use interception proxy to crawl application
      • Automated tools
        • Acunetix
        • Burp Suite
        • Nikto
      • Manual testing
        • Manually throwing test strings at web app
    • Fuzzing
      • Attempting to get a program to crash or act unexpectedly
      • Good for finding Input Validation issues

  • Manual peer reviews

    • Pair programming
    • Over-the-Shoulder
    • Pass-Around

  • User Acceptance Testing(UAT)

    • aka Beta testing
      • Leveraging a community of users to find flaws and bugs

  • Stress test application

Software Development Security Pt.2

  • Security regression testing
    • Verifying that new changes made to app don't introduce any vulns
      • Patches/fixes may break more than they fix
    • How to reduce regression
      • Change control
      • Version management
        • Git
      • Source code management
  • Input validation
    • Making sure that any input passed to the system by the user is acceptable and only allows expected input types
      • Exclude special characters that can be used to pass arbitrary code
        • <>'";/
        • Can't send 1000 bytes of data when 20 bytes will suffice - Secure coding best practices
  • OWASP
  • SANS
  • Center for Internet Security
    • System design recommendations
    • Benchmarks
      • Step-by-Step guides for OS, database, and system configuration