News

Security steps for developers

Everyone talks about application security but no one does anything about it. Well, no, that was something else - but you get the point. If you've been putting off improving your own secure design and coding skills, here are half a dozen concrete things that you can do today to move yourself along.

1. Order a copy of Michael Howard and David LeBlanc's Writing Secure Code and find time to read it. Get the recently-released second edition. Howard and LeBlanc work at Microsoft, and whatever you may think about the company's security posture overall, they've certainly had the chance to identify all sorts of best practices.

2. If you're doing any database work, learn to identify and avoid SQL injection attacks. Two good white papers on the subject are SQL Injection: Are Your Web Applications Vulnerable? and Advanced SQL Injection in SQL Server Applications

3. Similarly, if you're doing Web work, learn to identify and avoid cross-site scripting attacks. Cgisecurity.com has a good FAQ on the topic.

4. Subscribe to some of the many security mailing lists out there. NTBugTraq and BugTraq are good starting points. Even if you don't read every message that crosses these lists, skimming them will give you some idea of the sorts of problems that are currently turning up.

5. Sign up for and attend a Microsoft Security E-Learning Clinic. This is another way that you can draw on Microsoft's reservoir of security knowledge to raise your own security awareness.

6. Review the Insecure.org list of the Top 75 Security Tools. You may find something you can use in your day-to-day work, but more importantly, you'll come away with a new appreciation of the sorts of things that might be turned against your applications.

We've reached a point where being aware of application security is no longer optional. While you might not need to know every nook and cranny of the field, you owe it to your customers to understand the broad outlines of software application security, and to know when to seek expert guidance or more information.

About the Author

Mike Gunderloy has been developing software for a quarter-century now, and writing about it for nearly as long. He walked away from a .NET development career in 2006 and has been a happy Rails user ever since. Mike blogs at A Fresh Cup.