Tweet What is it and why should I care? After the last post covering secure the concept of a secure SDLC, this week we’ll look at a specific activity recommended by the various secure SDLC models: threat modeling. From the view of the secure SDLC, this is an activity that takes place fairly early in […]
Tweet What is it and why should I care? Software development has taken an interesting path over the short lifetime of the field. It began as a deeply technical field where only the best and brightest could participate, which is not unusual since it was born out of engineering, a very technical and structured field […]
Tweet What is it and why should I care? This will admittedly be a short post because it’s a pretty simple concept. Here’s the simple idea in bullet form: – Developers are builders of software (and security systems and even documentation sometimes) – There is a need for software & docs – Developers build software […]
Tweet What is it and why should I care? Breaking something (legally, of course) is one of the best ways to learn how it works. Software is no different. Breaking software is sometimes trivial and sometimes extremely complex, but either way is a great exercise. In particular for developers, it forces you out of the […]
Tweet What is it and why should I care? In the last post, I gave some justifications for getting security people into your organization, as well as reasons to have them closely knitted into your team. In this post, I’d like to move the attention to the developers already on your team. Let’s say you’ve […]
Tweet What is it and why should I care? I spend a good bit of time talking about both development and security. I spend a lot of time working with other developers and other security people. There are a precious few that I know of that excel at both development and security. This is a […]
Tweet What is it and why should I care? This is a bit of a follow-up to my last post with a bit of a different viewpoint. In that post, I specifically looked at code reuse from the perspective of creating an internal framework to centralize code related to security functionality. This week, I want […]
Tweet What is it and why should I care? Software reuse is a ubiquitous practice in software development. One study says that “80% of the code in today’s applications comes from libraries and frameworks”. That’s a lot. There is already a lot of research about software reuse and its benefits. While the research exists, there’s […]
Tweet What is it and why should I care? Cross-Site Scripting (XSS) is another issue that is caused because of poor code/data separation. The general issue is that a developer intends the user input to be interpreted as data, but an attacker can manipulate the input to cause the browser to interpret the input as […]
Tweet What is it and why should I care? SQL Injection (SQLi) is an issue that is caused because of poor code/data separation. The general issue is that a developer intends the user input to be interpreted as data, but an attacker can manipulate the input to cause the database to interpret the input as […]