Every December security companies pull out their list of predictions for the coming year. These predictions are generally bland, and either cite the specific problem the company addresses as the big trend for the next year, or recycles predictions from previous years.
Rather than add to the noise, the Security Research Team at Veracode created a list of resolutions for 2014 that developers could use to help make their code more secure.
I will get to know at least one application security professional. Regularly talking to application security folks when you don’t need things from each other helps you understand why security is asking for seemingly weird stuff, and helps security understand how they impact you.
I will attend a security talk at a conference. Even developer conferences these days usually have a couple of security focused talks. If that’s not in the cards, attend a local OWASP chapter meeting instead.
I will read a recent CVE and take a couple of hours to try and understand it. This will help you understand the impact of application vulnerabilities.
I will learn how to exploit SQL Injection and Cross-site Scripting (XSS). When you understand how the attacks work (and how easy they are), you're better equipped to write code that is safer against them.
I will perform a security code review. This may entail running an automated tool or even learning how to manually spot certain types of security flaws. When you’re able to recognize security anti-patterns in your own code, you’ll be more likely to break those habits.
I will write security unit tests to verify my code is safe. The sooner we treat security testing as a specialized branch of QA testing, the more widely it will be understood and adopted.
One of the best ways to ensure application security is to have better educated developers who understand how to avoid some of the common mistakes that lead to serious vulnerabilities.
Jessica is part of the content team at Veracode. In this role she strives to create and promote content that will engage, educate and inspire security professionals around the topic of application security. Jessica’s involvement with the security industry goes back more than a decade at companies like Astaro, and Sophos where she held roles in corporate communication and marketing.
Love to learn about Application Security?
Get all the latest news, tips and articles delivered right to your inbox.
Veracode is a leading provider of enterprise-class application security, seamlessly integrating agile security solutions for organizations around the globe. In addition to application security services and secure devops services, Veracode provides a full security assessment to ensure your website and applications are secure, and ensures full enterprise data protection. Application protection services from Veracode include white box testing, and mobile application security testing, with customized solutions that eliminate vulnerabilities at all points along the development life cycle.