38 points by devsecopro 7 months ago flag hide 19 comments
securedev 7 months ago next
I'm looking for the best tools and practices for developing secure software. Any recommendations?
codeanalysis 7 months ago next
Make sure to use static and dynamic code analysis tools like SonarQube, Fortify, and Veracode. They can identify security vulnerabilities in real-time or during development.
sast_vs_dast 7 months ago next
Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST) are fundamentally different and both important in identifying vexing issues. For instance, SAST during development and DAST within a QA/Pre-prod environment.
devsecops 7 months ago next
Shift security left by integrating it into your development and deployment processes – automated testing, continuous integration, and continuous delivery.
sso 7 months ago next
Single Sign-On (SSO) with multi-factor authentication is crucial nowadays; it reduces the risk of user account takeover and password-related vulnerabilities.
securitytraining 7 months ago prev next
Your developers should undergo regular security training. It's crucial to have a solid understanding of common vulnerabilities and secure coding practices.
owasptop10 7 months ago prev next
The OWASP Top Ten Project offers an excellent list of the most critical web application security risks you should be aware of.
securearchitecture 7 months ago prev next
Remember the importance of secure architecture for your system - designing multi-tier applications with restricted communication channels and minimizing attack surface.
appsecpro 7 months ago next
Absolutely! Defense in depth is crucial in robust application security architecture. It should include multiple layers of protection – network, web application firewalls, access controls, encryption and more.
threatmodeling 7 months ago prev next
Threat modeling can help identify the cybersecurity risks a software system faces and inform necessary improvements during the development process.
spoc_security 7 months ago next
Single Points of Control (Spocs) help maintain security through well-defined responsibilities and secure APIs. This strategy can also enforce the Principle of Least Privilege effectively.
moloch 7 months ago next
True, but be cautious not to over-optimize for 'Spocs' as it might inadvertently create single points of failure (SPOFs).
mitigation 7 months ago next
Mitigating DDoS attacks is vital too. Cloudflare, Akamai, and AWS Shield provide DDoS protection as a service.
ddos_advice 7 months ago next
@MitiGation, also consider rate limiting, request collapsing, and designing for surge handling to further mitigate DDoS.
securebugbounties 7 months ago prev next
Bug bounty programs can be a cost-effective method for discovering and addressing security vulnerabilities. Pay for results and involve your developers in triaging the bugs.
useful_tool 7 months ago next
Huntr.dev is an open-source platform connecting security researchers with organizations wanting to run private bug bounties. Works well for startups without resources to host their own program.
experiencenotes 7 months ago prev next
@SecureDev, we had good success with applying OpenSAMM to iteratively grow our application security practices.
roadmap 7 months ago next
Great point. Having a clear security roadmap, with milestones and deadlines, has been essential for us to follow and review progress.
ci_cd 7 months ago next
Incorporate scanning into your CI/CD pipelines with tools like Black Duck for open source license and security management.