Collection of resources on building Secure Development Lifecycle.
TBD
Compiled list of useful tools and resources for each of phases derived from Microsoft SDLC
This phase includes such practices as:
- Core security training
-
Short read on the main principles for designing secure applications.
-
Basics of Web security by Cade Cairns and Daniel Somerfield.
"Basic practices which every developer can and should be doing as a matter of course".
-
The list of most common threats for web applications.
-
A vulnerable website with challenges of differnet difficulty.
This phase includes such practices as:
- Establishing security and privacy requirements
- Creating quality gates/bars
- Performing security and privacy risk assessments
-
OWASP Application Security Verification Standard Project
Ready-made requirements for most development tasks.
-
OWASP Security Knowledge Framework
Web application that incroporates OWASP ASVS and can help with requirements tracking and following throughout the application lifecyle.
This phase includes such practices as:
- Establishing design requirements
- Atack surface analysis reduction
- Threat modeling
-
Threat modeling - Designing for security ($) - book by Adam Shostack
A classic book on doing it right.
-
Microsoft Threat Modeling Tool
A classic tool for drawing the model and enumerating threats.
-
An awesome talk on practical threat modeling by Jonathan Marcil, application security engineer at Twitch.
This phase includes such practices as:
- Using approved tools
- Deprecating unsafe functions
- Performing static analysis
-
Awesome list of tools for static analysis - it has it all.
This phase includes such practices as:
- Performing dynamic analysis
- Fuzz testing
- Attack surface review
-
Zed Attack Proxy - a free tool for automated dynamic analysis and much more.
-
Awesome list on everything regarding Fuzzing.
This phase includes such practices as:
- Creating an incident response plan
- Conducting final security review
- Certifying release and archive
This phase includes such practices as:
- Executing incident response plan