I would, at least from what we’ve learned here, use the SANS guidelines to look for not only the general secure coding strategies in the process of app development, but also address what SANS identifies as the most common risks associated with applications development and security. Testing for things like buffer overflow and SQL injection risks, especially testing internally for these vulnerabilities, is the best way to make sure that not only are these practices being followed, but that they are effective at stopping theoretical attacks. Things like “ethical hacking” and other resources can allow organizations to test their applications and systems before deployment to ensure that they are as secure as possible
Leveraging my keen understanding of the OWASP methodology, honed through rigorous academic engagements like this class Protection of Information Assets and the Ethical Hacking course, I am able to more efficiently decipher vulnerabilities compared to using the CERT standard. The comprehensive exposure and practical experience gained from OWASP empower me to provide substantive insights with ease and dexterity. Thus, within a professional context, I consider OWASP a more valuable tool in my repertoire.
Investigating whether a software development team diligently observes secure coding practices necessitates a comprehensive and systematic approach. Commence with an in-depth review of their coding protocol, ensuring they follow industry best standards such as the OWASP Guide or CERT secure coding, both of which prioritize creating software resistant to security vulnerabilities. Personally, I can determine this easily using the OWASP standard than using the CERT standard because we have had good knowledge of OWASP from this class and Ethical Hacking class as well.
Secondly, evaluate their training history. Vetting their experience and training in secure coding can testify to their commitment to implement it effectively.
Thirdly, explore the integration of security in their software development life cycle (SDLC). Are safeguards included from the ideation phase through to testing, maintenance, and updates?
Underlining this is a need for constant communication to ensure that the team retains a security-centered mindset.
Finally, involving an external auditor or using automated testing tools can help in verifying their secure coding proficiency or if they use secure coding practices at all. Automated tools, like static analysis security testing (SAST) or dynamic analysis security testing (DAST), provide an unbiased assessment of potential weaknesses in the code.
Testing tools are a great tip. I find that the best practice to ensure that you’re doing everything you can to prevent threats is to test for the threats you want to prevent. This means that, hopefully, when a real the threat arises, ethical hacking has already anticipated it and created a countermeasure for it
As learned in the SANS reading it is a good practice to employ code reviews and peer-reviews to make sure that the application program has been coded according to the best-established practices. Assuming that the peer-review is a part of application design and development process, reviewing code for Security flaws also should be added to that process.
In the cases where it is humanly impossible to scan the code for flaws, source
code scanners and testing tools can be used.
Hi Marc,
I agree, a combination of code review, adherence to secure coding principles, and the application of specialized assessment tools would form a comprehensive strategy to ascertain the use of secure coding practices by the development team.
To assess whether an application development team is implementing secure coding practices, I would evaluate their current methods against the guidelines outlined in NIST SP. 800-218, which serves as a comprehensive framework for rapid software development. Adhering to these practices is crucial for ensuring that the software developed by a team is effectively safeguarded.
NIST Special Publication 800-218 Secure Software Development
Framework (SSDF) Version 1.1: recommends the following as the yardstick for assessing the secure coding of any software development –
1. Define the Security Requirements for Software Development (PO.1):
2. Implement Roles and Responsibilities (PO.2):
3. Implement Supporting Toolchains (PO.3)
4. Define and Use Criteria for Software Security Checks (PO.4):
5. Implement and Maintain Secure Environments for Software Development (PO.5):
6. Protect All Forms of Code from Unauthorized Access and Tampering (PS.1):
7. Provide a Mechanism for Verifying Software Release Integrity (PS.2):
8. Archive and Protect Each Software Release (PS.3):
9. Design Software to Meet Security Requirements and Mitigate Security Risks (PW.1)
In addition to what NIST indicates I would also include best practices which include peer reviews , which should include reviewing code for Security flaws also should be added to that process. Tools can also be used to scan the code for flaws, and we should of course include testing.
I like how you pointed out NIST as I also would want some kind of framework in my back pocket and the knowledge to know what to do if a incident is discovered, or you can point out and guide the team to show them what do in a situation. Like shown in #1-Define the security requirements for software developments. Good catch Chidi!
I would know if an applications development team was using secure coding practices but using what was covered in this week’s SANS readings but also what came to mind and stood out the most is access control. I would simply run a test to see who has access to what in terms of applications, systems etc. I would pull log and handling reports, what do they say and what incidents have occurred? If there are many flaws that are covered or infrastructure that is not solid, especially in the Develpoment phase, then you will know that they are not following a secure coding practice. In addition to these I would have the frameworks that were covered in this course embedded in your knowledge’s they will help guide you through any test and help mitigate risks if they do come up along the way of your observation.
Hi Jeff,
I would opine that, professional assurance of a development team’s adherence to secure coding practices often correlates to the quality of their access control systems. Detailed examination of log and handling reports is an effective strategy. If an abundance of flaws are detected, particularly during development, it’s clear that secure coding practices have not been correctly followed. SANS readings have been instrumental in opening up the importance of thorough inspection, focusing particularly on access control. Comprehending the frameworks covered in this course facilitates a more effective risk mitigation process during observation periods, which is central to the secure coding procedure confirmation.
To determine if an applications development project team is using secure coding practices, I would start with evaluating the members of the project team. A qualified, experienced Software Engineer who understands the goal of designing an application with an efficient internal structure is ideal. Using sound software engineering principles is fundamental. Bad actors are constantly looking for ways to exploit a system so security cannot take a backseat to innovation. We are simply in a different time where that thinking does not work; the security of applications must be by design opposed to chance. Knowing that designing applications securely is a neglected but critical aspect of a defense in-depth strategy leads me to harp on a SecDevOps approach when building an application. If the project team is not approaching application development from a SecDevOps standpoint then I will know pretty quickly if the project team is utilizing secure coding practices. Oftentimes, I have mentioned SecDevOps since, from my experience, it is clear that security practices should be included in every stage of application development. Drawing a model of the application program illustrating the possible threat vectors is a good place to start when analyzing the project plan. From there, I would continue to analyze best security coding practices by gauging the expectations from good programming practices outlined in my response to question 2. When this project team meets, listening to their approach to security and innovation is key also. If this team is speaking on security and innovation as two competing factors instead of two aspects working together, then I would consider a restructuring of the team for the job based on the organization’s goals.
There are multiple strategies to verify that a development team adheres to secure coding practices. Auditing is a primary method, which can be internal, external, or a combination of both. In internal audits, it’s important that team members who developed the code do not participate in the review process. External audits, ideally conducted by a reputable source with proven auditing experience, are highly beneficial. External auditors, being impartial, can objectively identify poor practices. Moreover, having an external perspective often helps in uncovering flawed, redundant, or missing code elements, contributing to a more robust and secure final product. In my previous workplace, a 3rd party application called Jfrog was utilized as a tool to scan codes for any recognized vulnerabilities. Additionally, it also scanned open-source libraries for malicious code.
I never even thought about having an external perspective. When it comes to external review, I wonder what the contract would look like. If a contract were to be made, I would ensure that external reviewers are bound by non-disclosure agreements so that the risk of disclosing sensitive information would be mitigated.
There are a few ways to assess whether an application development project team is using secure coding practices. Conduct thorough code reviews, checking for input validation, output encoding, and error handling. We should also confirm that they are using industry standards like OWASP and employ automated testing tools in the CI/CD pipeline. Lastly, verifying compliance with privacy regulations and assess the team’s commitment to staying updated on the latest security threats. By considering these factors, you can gauge the team’s overall approach to secure coding practices.
Your comprehensive approach to assessing secure coding practices is insightful, considering the dynamic nature of cybersecurity, how do you think fostering a security-conscious culture within the development team contributes to the consistent application of these practices? Additionally do you have any specific strategies in mind to ensure ongoing education and awareness among team members regarding emerging security threats?
In software development, maintaining secure coding practices is vital to ensure application robustness and data integrity. A key question thus surfaces: How would you determine if an applications development project team was using secure coding practices?
Determining the use of secure coding practices in a project team involves scrutinizing their working methods under a security lens. Initially, the team’s awareness and adherence to a secure software development lifecycle (S-SDLC) is critical. The S-SDLC incorporates security measures; from planning to maintenance, thus embedding a security-centric ethos within the team.
Furthermore, examining the tools and languages the team uses can give insight into their secure coding practices. Modern IDEs, static analysis tools, and certain programming languages offer built-in mechanisms for identifying vulnerabilities and promoting secure coding.
The team’s response to internal and external audits may also be indicative. Regular audits, including vulnerability assessments and penetration testing, can identify coding flaws. Consequently, if the team incorporates findings from these audits to improve their code, it is a positive indication of their commitment to secure coding.
Lastly, secure coding training and certification provide tangible proof of the team’s understanding and practice of safe coding principles.
Michael, I agree wholeheartedly with your analysis. Examining a development team’s adherence to secure coding practices requires a multifaceted approach. The S-SDLC framework provides a foundational security mindset while exploring their development tools and languages, uncovering specific vulnerabilities and certain coding capabilities. Additionally, their response to internal and external audits reveals their commitment to continuous improvement, and evidence of fast coding training and certifications further solidifies their security posture. By combining these approaches, we can assess if a development team prioritizes certain coding practices, ultimately safeguarding application robustness and data integrity.
Simplest way to know is reviewing their coding standards and guidelines as well as reviewing their code, making sure they’re following industry recognized secure coding practices like those outlined by OWASP as well as other security standards and guidelines for which it applies. Analyzing the code itself would be a great way of evaluating it as well but it would definitely turn out to be very time consuming having a third party review another’s code but definitely worth it. Another way can include making sure the team was up to date in their training, knowing all the best practices, new vulnerabilities and what methods needed to be phased out. Security test like code review is useful having a third party attempt to break what has been created letting you know its weaknesses and areas that need improvement or overhaul and is essential to keeping a secure development lifecycle. These are just some examples of how you can determine if a team was using secure coding practices and is not exhaustive some other methods without going further into detail are incident response plans, security documentation, compliance, and dependency scanning.
Hi Alex,
I agree with you that training is essential to ensure secure coding. Nowadays, people are doing the wrong things without realizing it. With training, developers would be able to make changes and learn from their mistakes. Training helps developers to be security conscious; it helps them recognize common threats and secure coding methods which aids in addressing vulnerabilities.
I would have start with questions around application security and what common practices do the development team apply to secure applications during development. If any of the answers given talk high level, like the firewall or network handing security, then security is not the primary concern. While it is a good thing to use the existing security infrastructure during development, that is macro lumping application development with every other app and device on the network. Secure coding addresses micro practices making application development security a more focal point addressing development and security flaws.
To determine if an application development project team is using secure coding practices, I would employ a multi-faceted approach. I would conduct a thorough code review with a focus on specific security aspects:
=>Session Management:
I would examine the code to ensure that the team is implementing secure session management practices. This includes generating a new session after user authentication and setting appropriate session timeout values.
-=>SQL Injection Prevention:
In the review for SQL injection prevention, I would check not only for the use of parameterized queries but also assess whether the team utilizes prepared statements or stored procedures. This comprehensive approach helps fortify defenses against SQL injection attacks.
=>Code Review using OWASP Guidelines
During code reviews, I would refer to the OWASP guidelines and follow recommendations related to the specific vulnerabilities being assessed.
If the code review yields any uncertainties or if I want to ensure a more objective evaluation, I would utilize security assessment tools tailored to evaluate code quality, identify vulnerabilities, and assess compliance with secure coding standards. This additional step provides an objective and automated analysis.
There are various ways to determine if an application development project team is using secure coding practices. Firstly, regular audits should be conducted to ensure compliance. Another method is by scanning the code source with tools for vulnerabilities. Reviewing and interviewing the developers can also help to ensure that they are using secure coding practices.
Yes audits and asking the right questions will easily determine whether not the app development team is using secure coding practices. Some developers do not see security as a priority and then it is taken serious when something happens. They should be done on a regular basis through the development process.
I would, at least from what we’ve learned here, use the SANS guidelines to look for not only the general secure coding strategies in the process of app development, but also address what SANS identifies as the most common risks associated with applications development and security. Testing for things like buffer overflow and SQL injection risks, especially testing internally for these vulnerabilities, is the best way to make sure that not only are these practices being followed, but that they are effective at stopping theoretical attacks. Things like “ethical hacking” and other resources can allow organizations to test their applications and systems before deployment to ensure that they are as secure as possible
Leveraging my keen understanding of the OWASP methodology, honed through rigorous academic engagements like this class Protection of Information Assets and the Ethical Hacking course, I am able to more efficiently decipher vulnerabilities compared to using the CERT standard. The comprehensive exposure and practical experience gained from OWASP empower me to provide substantive insights with ease and dexterity. Thus, within a professional context, I consider OWASP a more valuable tool in my repertoire.
Investigating whether a software development team diligently observes secure coding practices necessitates a comprehensive and systematic approach. Commence with an in-depth review of their coding protocol, ensuring they follow industry best standards such as the OWASP Guide or CERT secure coding, both of which prioritize creating software resistant to security vulnerabilities. Personally, I can determine this easily using the OWASP standard than using the CERT standard because we have had good knowledge of OWASP from this class and Ethical Hacking class as well.
Secondly, evaluate their training history. Vetting their experience and training in secure coding can testify to their commitment to implement it effectively.
Thirdly, explore the integration of security in their software development life cycle (SDLC). Are safeguards included from the ideation phase through to testing, maintenance, and updates?
Underlining this is a need for constant communication to ensure that the team retains a security-centered mindset.
Finally, involving an external auditor or using automated testing tools can help in verifying their secure coding proficiency or if they use secure coding practices at all. Automated tools, like static analysis security testing (SAST) or dynamic analysis security testing (DAST), provide an unbiased assessment of potential weaknesses in the code.
Testing tools are a great tip. I find that the best practice to ensure that you’re doing everything you can to prevent threats is to test for the threats you want to prevent. This means that, hopefully, when a real the threat arises, ethical hacking has already anticipated it and created a countermeasure for it
As learned in the SANS reading it is a good practice to employ code reviews and peer-reviews to make sure that the application program has been coded according to the best-established practices. Assuming that the peer-review is a part of application design and development process, reviewing code for Security flaws also should be added to that process.
In the cases where it is humanly impossible to scan the code for flaws, source
code scanners and testing tools can be used.
Hi Marc,
I agree, a combination of code review, adherence to secure coding principles, and the application of specialized assessment tools would form a comprehensive strategy to ascertain the use of secure coding practices by the development team.
To assess whether an application development team is implementing secure coding practices, I would evaluate their current methods against the guidelines outlined in NIST SP. 800-218, which serves as a comprehensive framework for rapid software development. Adhering to these practices is crucial for ensuring that the software developed by a team is effectively safeguarded.
NIST Special Publication 800-218 Secure Software Development
Framework (SSDF) Version 1.1: recommends the following as the yardstick for assessing the secure coding of any software development –
1. Define the Security Requirements for Software Development (PO.1):
2. Implement Roles and Responsibilities (PO.2):
3. Implement Supporting Toolchains (PO.3)
4. Define and Use Criteria for Software Security Checks (PO.4):
5. Implement and Maintain Secure Environments for Software Development (PO.5):
6. Protect All Forms of Code from Unauthorized Access and Tampering (PS.1):
7. Provide a Mechanism for Verifying Software Release Integrity (PS.2):
8. Archive and Protect Each Software Release (PS.3):
9. Design Software to Meet Security Requirements and Mitigate Security Risks (PW.1)
NIST REF:
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-218.pdf
In addition to what NIST indicates I would also include best practices which include peer reviews , which should include reviewing code for Security flaws also should be added to that process. Tools can also be used to scan the code for flaws, and we should of course include testing.
I like how you pointed out NIST as I also would want some kind of framework in my back pocket and the knowledge to know what to do if a incident is discovered, or you can point out and guide the team to show them what do in a situation. Like shown in #1-Define the security requirements for software developments. Good catch Chidi!
I would know if an applications development team was using secure coding practices but using what was covered in this week’s SANS readings but also what came to mind and stood out the most is access control. I would simply run a test to see who has access to what in terms of applications, systems etc. I would pull log and handling reports, what do they say and what incidents have occurred? If there are many flaws that are covered or infrastructure that is not solid, especially in the Develpoment phase, then you will know that they are not following a secure coding practice. In addition to these I would have the frameworks that were covered in this course embedded in your knowledge’s they will help guide you through any test and help mitigate risks if they do come up along the way of your observation.
Hi Jeff,
I would opine that, professional assurance of a development team’s adherence to secure coding practices often correlates to the quality of their access control systems. Detailed examination of log and handling reports is an effective strategy. If an abundance of flaws are detected, particularly during development, it’s clear that secure coding practices have not been correctly followed. SANS readings have been instrumental in opening up the importance of thorough inspection, focusing particularly on access control. Comprehending the frameworks covered in this course facilitates a more effective risk mitigation process during observation periods, which is central to the secure coding procedure confirmation.
To determine if an applications development project team is using secure coding practices, I would start with evaluating the members of the project team. A qualified, experienced Software Engineer who understands the goal of designing an application with an efficient internal structure is ideal. Using sound software engineering principles is fundamental. Bad actors are constantly looking for ways to exploit a system so security cannot take a backseat to innovation. We are simply in a different time where that thinking does not work; the security of applications must be by design opposed to chance. Knowing that designing applications securely is a neglected but critical aspect of a defense in-depth strategy leads me to harp on a SecDevOps approach when building an application. If the project team is not approaching application development from a SecDevOps standpoint then I will know pretty quickly if the project team is utilizing secure coding practices. Oftentimes, I have mentioned SecDevOps since, from my experience, it is clear that security practices should be included in every stage of application development. Drawing a model of the application program illustrating the possible threat vectors is a good place to start when analyzing the project plan. From there, I would continue to analyze best security coding practices by gauging the expectations from good programming practices outlined in my response to question 2. When this project team meets, listening to their approach to security and innovation is key also. If this team is speaking on security and innovation as two competing factors instead of two aspects working together, then I would consider a restructuring of the team for the job based on the organization’s goals.
There are multiple strategies to verify that a development team adheres to secure coding practices. Auditing is a primary method, which can be internal, external, or a combination of both. In internal audits, it’s important that team members who developed the code do not participate in the review process. External audits, ideally conducted by a reputable source with proven auditing experience, are highly beneficial. External auditors, being impartial, can objectively identify poor practices. Moreover, having an external perspective often helps in uncovering flawed, redundant, or missing code elements, contributing to a more robust and secure final product. In my previous workplace, a 3rd party application called Jfrog was utilized as a tool to scan codes for any recognized vulnerabilities. Additionally, it also scanned open-source libraries for malicious code.
Hey Kelly,
I never even thought about having an external perspective. When it comes to external review, I wonder what the contract would look like. If a contract were to be made, I would ensure that external reviewers are bound by non-disclosure agreements so that the risk of disclosing sensitive information would be mitigated.
There are a few ways to assess whether an application development project team is using secure coding practices. Conduct thorough code reviews, checking for input validation, output encoding, and error handling. We should also confirm that they are using industry standards like OWASP and employ automated testing tools in the CI/CD pipeline. Lastly, verifying compliance with privacy regulations and assess the team’s commitment to staying updated on the latest security threats. By considering these factors, you can gauge the team’s overall approach to secure coding practices.
Your comprehensive approach to assessing secure coding practices is insightful, considering the dynamic nature of cybersecurity, how do you think fostering a security-conscious culture within the development team contributes to the consistent application of these practices? Additionally do you have any specific strategies in mind to ensure ongoing education and awareness among team members regarding emerging security threats?
In software development, maintaining secure coding practices is vital to ensure application robustness and data integrity. A key question thus surfaces: How would you determine if an applications development project team was using secure coding practices?
Determining the use of secure coding practices in a project team involves scrutinizing their working methods under a security lens. Initially, the team’s awareness and adherence to a secure software development lifecycle (S-SDLC) is critical. The S-SDLC incorporates security measures; from planning to maintenance, thus embedding a security-centric ethos within the team.
Furthermore, examining the tools and languages the team uses can give insight into their secure coding practices. Modern IDEs, static analysis tools, and certain programming languages offer built-in mechanisms for identifying vulnerabilities and promoting secure coding.
The team’s response to internal and external audits may also be indicative. Regular audits, including vulnerability assessments and penetration testing, can identify coding flaws. Consequently, if the team incorporates findings from these audits to improve their code, it is a positive indication of their commitment to secure coding.
Lastly, secure coding training and certification provide tangible proof of the team’s understanding and practice of safe coding principles.
Michael, I agree wholeheartedly with your analysis. Examining a development team’s adherence to secure coding practices requires a multifaceted approach. The S-SDLC framework provides a foundational security mindset while exploring their development tools and languages, uncovering specific vulnerabilities and certain coding capabilities. Additionally, their response to internal and external audits reveals their commitment to continuous improvement, and evidence of fast coding training and certifications further solidifies their security posture. By combining these approaches, we can assess if a development team prioritizes certain coding practices, ultimately safeguarding application robustness and data integrity.
Simplest way to know is reviewing their coding standards and guidelines as well as reviewing their code, making sure they’re following industry recognized secure coding practices like those outlined by OWASP as well as other security standards and guidelines for which it applies. Analyzing the code itself would be a great way of evaluating it as well but it would definitely turn out to be very time consuming having a third party review another’s code but definitely worth it. Another way can include making sure the team was up to date in their training, knowing all the best practices, new vulnerabilities and what methods needed to be phased out. Security test like code review is useful having a third party attempt to break what has been created letting you know its weaknesses and areas that need improvement or overhaul and is essential to keeping a secure development lifecycle. These are just some examples of how you can determine if a team was using secure coding practices and is not exhaustive some other methods without going further into detail are incident response plans, security documentation, compliance, and dependency scanning.
Hi Alex,
I agree with you that training is essential to ensure secure coding. Nowadays, people are doing the wrong things without realizing it. With training, developers would be able to make changes and learn from their mistakes. Training helps developers to be security conscious; it helps them recognize common threats and secure coding methods which aids in addressing vulnerabilities.
I would have start with questions around application security and what common practices do the development team apply to secure applications during development. If any of the answers given talk high level, like the firewall or network handing security, then security is not the primary concern. While it is a good thing to use the existing security infrastructure during development, that is macro lumping application development with every other app and device on the network. Secure coding addresses micro practices making application development security a more focal point addressing development and security flaws.
To determine if an application development project team is using secure coding practices, I would employ a multi-faceted approach. I would conduct a thorough code review with a focus on specific security aspects:
=>Session Management:
I would examine the code to ensure that the team is implementing secure session management practices. This includes generating a new session after user authentication and setting appropriate session timeout values.
-=>SQL Injection Prevention:
In the review for SQL injection prevention, I would check not only for the use of parameterized queries but also assess whether the team utilizes prepared statements or stored procedures. This comprehensive approach helps fortify defenses against SQL injection attacks.
=>Code Review using OWASP Guidelines
During code reviews, I would refer to the OWASP guidelines and follow recommendations related to the specific vulnerabilities being assessed.
If the code review yields any uncertainties or if I want to ensure a more objective evaluation, I would utilize security assessment tools tailored to evaluate code quality, identify vulnerabilities, and assess compliance with secure coding standards. This additional step provides an objective and automated analysis.
There are various ways to determine if an application development project team is using secure coding practices. Firstly, regular audits should be conducted to ensure compliance. Another method is by scanning the code source with tools for vulnerabilities. Reviewing and interviewing the developers can also help to ensure that they are using secure coding practices.
Yes audits and asking the right questions will easily determine whether not the app development team is using secure coding practices. Some developers do not see security as a priority and then it is taken serious when something happens. They should be done on a regular basis through the development process.