NovaInfosecPortal.com

This section of the web site provides a list of application security resources. If there are any mistakes or information we should add, please let us know through our Contact Us form. For recent posts regarding this information, see the Recent Posts area below. Look for a complete list of all related posts on the Application Security category page.

Secure Coding

• CERT C Secure Coding Standard
• Sun’s Secure Coding Guidelines for the Java Programming Language

Secure Software Development Methodologies

• CLASP (Comprehensive Lightweight Application Security Process): Per the CLASP Application Security Process article, “CLASP is a recognized best practices methodology that provides a well-organized and structured approach for integrating security requirements and activities into each stage of the software development lifecycle. CLASP is a reflection of over six years of proven work with client development teams to address security issues, offering templates, guidelines, artifacts and role definitions.” The project is run by OWASP on their CLASP project page.
• Microsoft Security Development Lifecycle: This is the process that Microsoft came up to improve the security of their software. For an overview see The Trustworthy Computing Security Development Lifecycle. More indepth knowledge can be found in a book Microsoft publishes called The Security Development Lifecycle.
• Cigital TouchPoint: This is Cigital’s secure software development methodology that focuses on risk management, touchpoints, and knowledge.
• SP 800-64 Rev. 2 DRAFT Security Considerations in the System Development Life Cycle: Although not truely software related, it coners systems, which usually include a lot of software.

Code Scanners

• Static
• Dynamic
• Fortify, Coverity, Ounce Labs

Certifications/Training

• SANS GSSP: The GIAC Secure Software Programmer (GSSP) certification is a fairly new SANS offering that focuses on teaching and certifying developers in secure programming. At this point the GSSP certificate is the only certificate that focuses on secure programming for the individual. Most of their current work is on Java but they are looking to expand into C, C++, Perl, PHP, and .NET. See the SANS Software Security Institute for more information.

Books

• Software Security: Building Security In (Gary McGraw)

Resources

• OWASP: For the development of web applications, OWASP is a great source. Check out their Top 10 Project, Guide Project, and Testing Project.

Recent Posts

• New Applications Security Resource Section

For a complete list of all related posts see the Application Security category page.