Security for Application Developers

Mandatory Training 

• Web Developer Security Awareness

Procedures

• Web Application Security Assessment Procedure - Automated security and compliance assessment software for checking web applications for common vulnerabilities. It can be used in test, development and production instances to find all linked pages and to check sites for such vulnerabilities as SQL injection, cross-site scripting and buffer overflows.

• Server Scanning Procedure - Automated vulnerability scanning software for identifying known vulnerabilities on your server.

Training Materials

The biggest threat to UA's network security comes from its public websites and the web-based applications found there. A public website is generally accessible to anyone who wants to view it, making application security an issue. Vulnerabilities in web applications have inevitably attracted the attention of recreational and criminal attackers, who have devised techniques to exploit the vulnerabilities. Attacks on the web application layer now exceed attacks on the network.

Developers can mitigate these risks by becoming educated on the threats to application security and designing applications with security in mind. The following free resources provide both general and platform-specific information.

• Mandatory training for all UA Web Developers

Other Training Resources

• Microsoft Security Guidance Training for Developers - This clinic presents topics related to the essentials of application security (the importance of application security, security development practices, security technologies and secure development guidelines), threat defense (the need for secure code; defending against memory issues, arithmetic errors, cross-site scripting, SQL injection, canonicalization issues, cryptography weaknesses, Unicode issues, and denial of services attacks) and best practices for writing secure code (secure development process, threat modeling, risk mitigation and security best practices). The emphasis is on generally applicable material, but includes some demonstrations for Microsoft Visual Basic, Microsoft Visual C++, C#. Requires online registration.

• Dept. of Home Security Approved Secure Software Course - This course covers secure programming practices necessary to secure applications against attacks and exploits. Topics covered include fundamental concepts of secure software development, defensive programming techniques, secure design and testing, and secure development methodologies. Requires online registration.

UA Presentations

• Web-Raker: Web Application Security (Video presentation) (PowerPoint presentation)

CWE/SANS

• Top 25 Most Dangerous Programming Errors - CWE - Broader than OWASP Top Ten, covering more general concepts
• Web Application Security Assessments - SANS
• Web Application Auditing Over Lunch - SANS
• SANS Top 20 Internet Security Attack Targets - SANS
• Application/Database Security - SANS

OWASP

• Open Web Application Security Project
• OWASP Top Ten - Critical web application security flaws
• OWASP 2010 Top Ten Presentation
• Guide to Building Secure Web Applications
• Web Application Testing (pdf)
• Web Application Penetration Test Checklist (pdf)
• Application Security Testing Procedures and Checklists
• OWASP Video Collection

 MSDN Library

• Resource for developers using Microsoft tools, products, and technologies - Information found here will help developers and administrators design and deploy secure .NET Framework applications.
• Improving Web Application Security: Threats and Countermeasures - Guide for designing, building, and configuring secure ASP.NET Web applications

Other Resources

• Web Application Best Practices – UA Confluence
• Secure Coding - CERT
• Application Security Configuration Guides – National Security Agency
• List of common security concerns for web applications, with a focus on PHP solutions
• WASC Threat Classification
• TEEX Preparedness Campus -- DHS/FEMA Certified Online Training