Secure development, DevSecOps

OWASP, OpenSAMM and related

• OWASP.org - Open Web Application Security Project - with flagship, lab and incubator projects
• Security by Design - principles
• ASVS - Application Security Verification Standard
• API check - understand and mitigate the vulnerabilities and security risks of APIs
• OWASP top-10 application vulnerabilities
• WebGoat- deliberately insecure web application
• Zed - attack proxy
• WebScarab - interceptor/modifier for http(s), legacy, replaced by Zed
• DependencyCheck - known vulnerabilities and dependencies
• DefectDojo - tracking vulnerabilities
• CSVS - Container Security Verification Standard
• Cheatsheets - about many topics
• OpenSamm-
• OwaspSAMM
• OwaspSlack for communication about eg SAMM
• OpenSamm legacy- tip Bart De Win
• BSIMM- Building Security In Maturity Model, a study of existing software security initiatives
• OWASP Threat Dragon (threat modelling) - supports STRIDE/LINDDUN/CIA
• Threat modeling manifesto

IETF

• RFC 3552 Guidelines for Writing RFC Text on Security Considerations
• Internet Threat Model
• Which attacks are in-scope versus out of scope
• RFC 6973 Privacy Considerations for Internet Protocols
• Threats
• Threat mitigation
• Guidelines

Vendors

• Microsoft SDL
• Microsoft STRIDE on Wikipedia
• WhiteSource - Rami Sas
• Snyk - npm security / JS coding

Concepts

• US DACS - Data and Analysis Centre for Software - secure SDLC
• UK - ObjectSecurity.com - spin-off Univ of Cambridge (2000) - SecureCorba, MICOSec, Policy Description Language

Secure coding

• US NIST Secure Software Development Framework (SSDF) project
• Safecode.org
• Safecode.org- publications
• Carnegie Mellon C Secure Coding Standard

Securit of Machine Learning

• Gary McGraw static code analysis, Fortify, Cigital, Java security, ...
• Gary McGraw - Berryville Institute Machine Learning security of ML
• Berryville Institute Machine Learning taxonomy of ML attacks

DevSecOps - Security testing in continuous integration and DevOps

NIST

• US NIST DevSecOps project

Tools

• Sysdig
• Sonatype - Nexus repositories, source code analysis, libraries, Nexus source code scanner
• Mend.io - Ron and Rami - ex-WhiteSource
• 42Crunch - Isabelle Mauny - includes API security
• Frida Greasemonkey for native apps, i.e. a dynamic code instrumentation toolkit that lets you inject snippets of JavaScript or your own library into native apps on Windows, macOS, GNU/Linux, iOS, Android, and QNX
• Fortify - Wikipedia
• Fortify - Microfocus - originally static code analysis
• Tenable - manage cyber exposure - home of Nessus
• Mittn - an evolving suite of security testing tools to be run in Continuous Integration context that uses Python and Behave.
• Gauntlt
• BDD security- publications

Building blocks

• INRIA - Compcert - secure compiler
• Fstar-language - provable security for programs
• Project Everest - Microsoft and INRIA - TLS
• miTLS: A Verified Reference Implementation of TLS
• Google's fork of OpenSSL: BoringSSL
• Mozilla's Seccomp Linux sandbox

Training

• SecAppDEV - Bart De Win/Johan Peeters/Dirk Dussart
• SecurityInnovations - via Roland Ehlies PwC DE

Solution providers

• ThreadFix (Google repository) - rooted in Denim Group/Joe Krull
• 1Raindrop - Gunnar Peterson's blog, on a.o. REST Security
• US - Denim Group (Joe Krull)
• Codenomicon
• DE - Zynamics - reverse engineering, code analysis, "chained return-into-licbc" attacks on iPhone
• UK - ObjectSecurity.com - spin-off Univ of Cambridge (2000) - SecureCorba, MICOSec, Policy Description Language

Tools

• SemGrep
• Checkmarx - security of software
• US - HP-Fortify (code analysis, security metrics, security tester) - legacy site
• Agnition (Sourceforge) - secure code review tool
• CodeTheCode - Objective-C class-dump utility
• F-Script - introspection, manipulation and scripting of Cocoa objects
• Clang analyzer - static analysis
• www.modsecurity.org - Application-level firewall for Apache