Following are top 5 areas to consider while setting up secured application development practices:

  • Security Training: The developers have to be given continuous training on application security. In this regard, OWASP Top 10 security related recommendations is of great help and a great place to start. This is primarily applicable for web applications. However, most of it also applies to general application.  The security training is applicable for all stakeholders of the project including business analyst, project managers, architect, developers and testers.
  • Threat Modeling: This is the most important aspect of all. This primarily consists of following important steps:
    1. Threat classification: Following are some of the key threats one can take into consideration:
      • Spoofing identity
      • Tampering with data
      • Repudiation
      • Information disclosure
      • Denial of service
      • Elevation of privilege
    2. Vulnerabilities identification and prioritization
    3. Identifying and documenting the attack surfaces
  • Secure Coding Techniques: Developers need to have a developers’ coding checklist consisting of coding standards and guidelines, by their side when doing coding for quick reference.
  • Security Code Reviews: Code reviews are integral part of delivery of high quality code. Different techniques can be used for code reviews including some of the following:
    1. Manual code review: With a secured code review checklist consisting of areas to look for in relation with security and a developer with security awareness, one can have team do the manual code review in relation with security in .
    2. Automated code review: One can use different tools such as Sonar to achieve the state of automated code review. The key thing is to identify security related rules which will be tested on every run. In tools such as Sonar, one can configure security related rules and keep a watch on non-conformance against those rules on every run.
  • Security Testing: One has to consider various different test case scenarios in relation with security testing.

Ajitesh Kumar

Ajitesh is passionate about various different technologies including programming languages such as Java/JEE, Javascript, PHP, .NET, C/C++, mobile programming languages etc and, computing fundamentals such as application security, cloud computing, API, mobile apps, google glass, big data etc.

Follow him on Twitter and Google+.