Every December security companies pull out their list of predictions for the coming year. These predictions are generally bland, and either cite the specific problem the company addresses as the big trend for the next year, or recycles predictions from previous years.
Rather than add to the noise, the Security Research Team at Veracode created a list of resolutions for 2014 that developers could use to help make their code more secure.
- I will get to know at least one application security professional. Regularly talking to application security folks when you don’t need things from each other helps you understand why security is asking for seemingly weird stuff, and helps security understand how they impact you.
- I will attend a security talk at a conference. Even developer conferences these days usually have a couple of security focused talks. If that’s not in the cards, attend a local OWASP chapter meeting instead.
- I will read a recent CVE and take a couple of hours to try and understand it. This will help you understand the impact of application vulnerabilities.
- I will learn how to exploit SQL Injection and Cross-site Scripting (XSS). When you understand how the attacks work (and how easy they are), you're better equipped to write code that is safer against them.
- I will perform a security code review. This may entail running an automated tool or even learning how to manually spot certain types of security flaws. When you’re able to recognize security anti-patterns in your own code, you’ll be more likely to break those habits.
- I will write security unit tests to verify my code is safe. The sooner we treat security testing as a specialized branch of QA testing, the more widely it will be understood and adopted.