Richard Bucker

Secure Software Development Lifecycle

Posted at — May 14, 2014


Justification:

While there are a number of obvious attack vectors for would-be black hats - most are never considered or defended against until there has been an incident. This is not to say that a huge investment is required from day one; as we have learned from the copy protection cat and mouse of the 1980s - it is expensive and with diminishing returns. But if we do a few things up front and in the beginning then we raise the cost for the attacker thus we become a less desirable target.

Secure Software Development Lifecycle:



References:

salted password hashing
https://crackstation.net/hashing-security.htm

OWASP cheat sheets
https://www.owasp.org/index.php/Cheat_Sheets

Twenty-three Evergreen Developer Skills
http://blog.zeusprod.com/2014/02/twenty-three-evergreen-developer-skills.html?m=1

Google vs Facebook - trunk
http://paulhammant.com/2014/01/08/googles-vs-facebooks-trunk-based-development/

7 Habits of Dysfunctional Programmers
http://www.ganssle.com/articles/7habits.htm

10 Commandments of egoless programming
http://www.codinghorror.com/blog/2006/05/the-ten-commandments-of-egoless-programming.html

Only the beginning
http://www.usatoday.com/story/tech/2014/01/13/target-retail-industry-hacks-2014/4460441/

bad code - silent circle
http://blog.erratasec.com/2013/08/when-did-we-start-trusting-bad-code.html?m=1

truecrypt
http://volatility-labs.blogspot.it/2014/01/truecrypt-master-key-extraction-and.html?m=1

managers should code
http://www.drdobbs.com/architecture-and-design/engineering-managers-should-code-30-of-t/240165174

appliance and framework
http://queue.acm.org/detail.cfm?ref=rss&id=2566628

removing passwords
http://arstechnica.com/security/2013/12/microsoft-joins-fido-group-hoping-to-replace-passwords-with-public-key-cryptography/

Intrusion Detection: Support Vector Machines and Neural Networks
http://www.cs.uiuc.edu/class/fa05/cs591han/papers/mukkCNN02.pdf

Network Intrusion Detection Using Tree Augmented Naive-Bayes
http://www.znu.ac.ir/members/afsharchim/pub/cicics12.pdf

Falcon
http://www.fico.com/en/

Good fun with bad crypto
https://intrepidusgroup.com/insight/2014/01/good-fun-with-bad-crypto/

RBAC with unique urls and rotating keys so filtering outside application

Secure REST
http://blog.cloudfoundry.com/2012/10/09/securing-restful-web-services-with-oauth2/

tcpdump tutorial
http://www.danielmiessler.com/study/tcpdump/

ip tcp http
http://www.objc.io/issue-10/ip-tcp-http.html

This is by no means a complete list. It’s represents my current reading list.