Richard Bucker

Secure Software Development Lifecycle

Posted at — May 14, 2014

Justification:While there are a number of obvious attack vectors for would-be black hats - most are never considered or defended against until there has been an incident. This is not to say that a huge investment is required from day one; as we have learned from the copy protection cat and mouse of the 1980s - it is expensive and with diminishing returns. But if we do a few things up front and in the beginning then we raise the cost for the attacker thus we become a less desirable target.Secure Software Development Lifecycle:frameworks are goodReferences:salted password hashinghttps://crackstation.net/hashing-security.htmOWASP cheat sheetshttps://www.owasp.org/index.php/Cheat_SheetsTwenty-three Evergreen Developer Skillshttp://blog.zeusprod.com/2014/02/twenty-three-evergreen-developer-skills.html?m=1Google vs Facebook - trunkhttp://paulhammant.com/2014/01/08/googles-vs-facebooks-trunk-based-development/7 Habits of Dysfunctional Programmershttp://www.ganssle.com/articles/7habits.htm10 Commandments of egoless programminghttp://www.codinghorror.com/blog/2006/05/the-ten-commandments-of-egoless-programming.htmlOnly the beginninghttp://www.usatoday.com/story/tech/2014/01/13/target-retail-industry-hacks-2014/4460441/bad code - silent circlehttp://blog.erratasec.com/2013/08/when-did-we-start-trusting-bad-code.html?m=1truecrypthttp://volatility-labs.blogspot.it/2014/01/truecrypt-master-key-extraction-and.html?m=1managers should codehttp://www.drdobbs.com/architecture-and-design/engineering-managers-should-code-30-of-t/240165174appliance and frameworkhttp://queue.acm.org/detail.cfm?ref=rss&id=2566628removing passwordshttp://arstechnica.com/security/2013/12/microsoft-joins-fido-group-hoping-to-replace-passwords-with-public-key-cryptography/Intrusion Detection: Support Vector Machines and Neural Networkshttp://www.cs.uiuc.edu/class/fa05/cs591han/papers/mukkCNN02.pdfNetwork Intrusion Detection Using Tree Augmented Naive-Bayeshttp://www.znu.ac.ir/members/afsharchim/pub/cicics12.pdfFalconhttp://www.fico.com/en/Good fun with bad cryptohttps://intrepidusgroup.com/insight/2014/01/good-fun-with-bad-crypto/RBAC with unique urls and rotating keys so filtering outside applicationSecure RESThttp://blog.cloudfoundry.com/2012/10/09/securing-restful-web-services-with-oauth2/tcpdump tutorialhttp://www.danielmiessler.com/study/tcpdump/ip tcp httphttp://www.objc.io/issue-10/ip-tcp-http.htmlThis is by no means a complete list. It’s represents my current reading list.