New Year's Resolutions can be tricky, and advice abounds on how you can do a better job at keeping them. For the sake of this post, I'm assuming you've already made the decision to be better at increasing the security of your applications. With the proliferation of DevOps and Agile style software development, you really have to manage application security as you code because there will never be a "right time" to do it later.
So to help you think about security more often, and earlier, in the software development life cycle, I've put together five simple steps you can take to increase your own knowledge of application security:
- Attend a Local OWASP Chapter Meeting. The Open Web Application Security Project (OWASP) is a 501c3 not-for-profit worldwide charitable organization focused on improving the security of application software. Their mission "...is to make application security visible, so that people and organizations can make informed decisions about true application security risks." OWASP has been around for more than a decade, and boasts over 30,000 participants in the OWASP Community as of the end of 2013. Consider attending a meeting, and getting free pizza in the process.
- Listen to Jeff Williams Talk From AppSecUSA & AppSecCali titled, "Application Security at DevOps Speed and Portfolio Scale" to learn about where the application security industry is going. Application security is learning how to play nice with developers. They recognize that DevOps and Agile style software development systems don’t have time to wait for scans to be scheduled, reports to be run, false positives to be filtered, and remediation advice to be recommended. They need information, and fixes, in the now. They need real-time application security analytics, and Jeff does Bob Ross proud by painting a nice picture of how this can be done realistically.
- Add a 10 Minute Security Update to Your Monthly Meetings. Unsure of where to start? The OWASP Top Ten report is a great place. It talks you through the top potential risks to organizations, not just potential vulnerabilities. It talks you through mistakes people in your development team might be making. Just adding a review of one of them each month would help you get through the list at least once a year. Continuing education pays for itself by fixing vulnerable code and preventing insecure code from ever being written. Reviewing the OWASP Top Ten will also help you keep security as a top-of-mind activity for your developers.
- Take The Secure Analytics Test. Offered by our friends at Aspect Security, Secure Coder Analytics lets you know where you should focus your efforts. Architects, developers, managers, and testers can all gauge where their skill set is strongest, weakest, or totally absent. The Secure Coders Analytics test will help you know fact from fiction by supplanting supposition for science.
- Install and Run Contrast's FOREVER FREE Version to Catch Your XSS Mistakes. Yes, the last item on the to-do list is to download the product we offer. We do that for a couple of reasons, chief among them: You can do this one for FREE. The most prevalent vulnerability in the OWASP Top Ten list is XSS, with estimates in the 70% range for all the vulnerabilities listed in compiled vulnerability reports. When you download, install, and run the Contrast agent, you get unparalleled insight into your running applications.
So, that's the list. If you've found other useful ways to learn and apply application security to your own work, let me know in the comments below.