This document discusses security best practices for software developers. It covers topics like the secure software development lifecycle (SDLC), threat modeling, static code analysis, and resources for developers. The SDLC framework defines the process for building applications from start to finish. Threat modeling involves analyzing potential threats and vulnerabilities. Static code analysis tools can find security issues. Resources recommended include OWASP documentation and Microsoft's security engineering practices. The goal is to integrate security practices into development like training, requirements, testing, and incident response.
3. SDLC (SOFTWARE DEVELOPMENT LIFECYCLE)
• A Software Development Life Cycle (SDLC) is a framework that defines the process
used by organizations to build an application from its inception to its
decommission. Over the years, multiple standard SDLC models have been proposed
(Waterfall, Iterative, Agile, etc.) and used in various ways to fit individual
circumstances.
4. • Planning and requirements.
• Architecture and design.
• Test planning.
• Coding.
• Testing and results.
• Release and maintenance.
SDLC PHASES
5. SECURE YOUR SDLC ACCORDING TO
MICROSOFT
• Provide Training.
• Define Security Requirements.
• Perform Threat Modeling.
• Define and Use Cryptography Standards.
• Follow Best Practices.
• Perform Static Analysis.
• Perform Dynamic Analysis.
• Regularly Pentest.
• Establish Incident Response Mechanism.
Source: https://www.microsoft.com/en-us/securityengineering/sdl/practices
13. ATTACK SURFACE REDUCTION
• Part of the process of reducing the attack surface is taking down APIs or functionalities that are no longer neeeded by
following the LEAN engineering principle.
• Threat modelling can also help with scaling-down the attack surface.
• Unnecessary logic complexity can lead to security problems in the future.
• Automated Tests (Static and/or dynamic analysis).
• Pentesting your application.
17. RESOURCES?
• Troy Hunt‘s OWASP Top 10 for .NET developers
• https://files.troyhunt.com/OWASP%20Top%2010%20for%20.NET%20developers.pdf
• OWASP TOP 10 2017
• https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf
• Security Engineering Practices
• https://www.microsoft.com/en-us/securityengineering/sdl/practices
18. HOW TO APPLY BEST PRACTICES
• Always check OWASP‘s Best practices for a certain vulnerability.
• Look for OWASP‘s Library/Framework Recommendations.
• Don‘t trust any default configs. Always double check it.
• Never trust user‘s input.
• Apply ACLs.
19. HOW DO I KNOW ABOUT NEW 0DAYS?
• Check if your local CERT if they offer a newsletter.
• Subscribe to MITRE newsletter https://cve.mitre.org/news/newsletter.html
• Regrularly Update Libraries/Frameworks you‘re using.