Secure development

OWASP, OpenSAMM and related

• OWASP.org - Open Web Application Security Project
- with flagship, lab and incubator projects
• Security by Design - principles
• ASVS - Application Security Verification Standard
• API check - understand and mitigate the vulnerabilities and security risks of APIs
• OWASP top-10 application vulnerabilities
• WebGoat- deliberately insecure web application
• Zed - attack proxy
• WebScarab - interceptor/modifier for http(s), legacy, replaced by Zed
• DependencyCheck - known vulnerabilities and dependencies
• DefectDojo - tracking vulnerabilities
• CSVS - Container Security Verification Standard
• Cheatsheets - about many topics
• OpenSamm-
• OwaspSAMM
• OwaspSlack for communication about eg SAMM
• OpenSamm legacy- tip Bart De Win
• BSIMM- Building Security In Maturity Model, a study of existing software security initiatives

Vendors

• Microsoft SDL
• Microsoft STRIDE on Wikipedia

Concepts

• US DACS - Data and Analysis Centre for Software - secure SDLC
• UK - ObjectSecurity.com - spin-off Univ of Cambridge (2000) - SecureCorba, MICOSec, Policy Description Language

Secure coding

• Safecode.org
• Safecode.org- publications
• Carnegie Mellon C Secure Coding Standard

Security testing in contiuous integration and DevOps

• Mittn - an evolving suite of security testing tools to be run in Continuous Integration context that uses Python and Behave.
• Gauntlt
• BDD security- publications

Building blocks

• INRIA - Compcert - secure compiler
• Fstar-language - provable security for programs
• Project Everest - Microsoft and INRIA - TLS
• miTLS: A Verified Reference Implementation of TLS
• Google's fork of OpenSSL: BoringSSL
• Mozilla's Seccomp Linux sandbox

Training

• SecAppDEV - Bart De Win/Johan Peeters/Dirk Dussart
• SecurityInnovations - via Roland Ehlies PwC DE

Solution providers

• ThreadFix (Google repository) - rooted in Denim Group/Joe Krull
• 1Raindrop - Gunnar Peterson's blog, on a.o. REST Security
• US - Denim Group (Joe Krull)
• Codenomicon
• DE - Zynamics - reverse engineering, code analysis, "chained return-into-licbc" attacks on iPhone
• UK - ObjectSecurity.com - spin-off Univ of Cambridge (2000) - SecureCorba, MICOSec, Policy Description Language

Tools

• Checkmarx - security of software
• US - HP-Fortify (code analysis, security metrics, security tester)
• Agnition (Sourceforge) - secure code review tool
• CodeTheCode - Objective-C class-dump utility
• F-Script - introspection, manipulation and scripting of Cocoa objects
• Clang analyzer - static analysis
• www.modsecurity.org - Application-level firewall for Apache