Quick Start Guide for Secure Software Development
Software development does not always follow a well-structured process. Some companies tend to give developers more flexibility than others, which often results in critical vulnerabilities and high rework activities. Therefore, independent whether your projects follow agile or waterfall development principles, you shall apply some basic secure software development principles to avoid security loopholes.
The first one being, do not reinvent the wheel!
It might be that you have excellent ideas when it comes to encryption, authentication or authorization but the risk related to your self-made function in that area is obviously too high. Use only standardized encryption, authentication and authorization frameworks.
The second one being, that the input and output should be validated!
Nowadays, application-based attacks are one of the biggest security concerns. Due to their nature, those incidents are often difficult to detect because a firewall or intrusion detection system cannot distinguish between a real user and an application layer attack. Therefore, we should always validate all input independent from its origin. Also, we should also scan output prior sending it to the user.
The third one being, that prepared statements should be used!
Database access is a very attractive target of global cyber security attacks. Several big players have become a victory of database related so-called SQL injection attacks recently. If your developers exclusively use prepared statements for database access, your application will be robust against this critical attack.
The last one being that regular code scan should be scheduled!
Security issues must be eliminated from the root, the source code. Only secure code scans according to security standards such as OWASP top 10 or SANS top 25 will help you to identify and eliminate critical issues in your code during software development.
All things considered, the basic best practices mentioned above will push your software development projects towards security. Also, OWASP provides excellent background information for secure software development.