Security steps for developers
Everyone talks about application security but no one does anything about it.
Well, no, that was something else - but you get the point. If you've been
putting off improving your own secure design and coding skills, here are
half a dozen concrete
things that you can do today to move yourself along.
1. Order a copy of Michael Howard and David LeBlanc's Writing Secure
and find time to read it. Get the recently-released second edition. Howard and
LeBlanc work at Microsoft, and whatever you may think about the company's
security posture overall, they've certainly had the chance to identify all sorts
of best practices.
2. If you're doing any database work, learn to identify and avoid SQL
injection attacks. Two good white papers on the subject are SQL
Injection: Are Your Web Applications Vulnerable? and Advanced SQL
Injection in SQL Server Applications
3. Similarly, if you're doing Web work, learn to identify and avoid
scripting attacks. Cgisecurity.com has a good FAQ on the
4. Subscribe to some of the many security mailing lists out there. NTBugTraq and BugTraq are good starting
points. Even if you don't read every message that crosses these lists, skimming
them will give you some idea of the sorts of problems that are currently turning
5. Sign up for and attend a Microsoft Security E-Learning
Clinic. This is another way that you can draw on Microsoft's reservoir of
security knowledge to raise your own security awareness.
6. Review the Insecure.org list of the Top 75 Security Tools. You may
find something you can use in your day-to-day work, but more importantly, you'll
come away with a new appreciation of the sorts of things that might be turned
against your applications.
We've reached a point where being aware of application security is no longer
optional. While you might not need to know every nook and cranny of the field,
you owe it to your customers to understand the broad outlines of software
application security, and to know when to seek expert guidance or more
Mike Gunderloy has been developing software for a quarter-century now, and writing about it for nearly as long. He walked away from a .NET development career in 2006 and has been a happy Rails user ever since. Mike blogs at A Fresh Cup.