Explore the fundamental expectation for secure coding practices and learn what they mean.
- Part of being a good developer is understanding what you need to learn and what you need to stay up to date on. So I want to talk about how this course will prepare you for the day-to-day operations as a developer. Please keep in mind that this course will not make you all knowledgeable about writing secure code. This course is aimed at giving you the information and support that you need to write more secure code. In fact, this is one of my primary goals for you.
There is no way to say you are a secure developer. What I want you to take away is the ability to be called a security-minded developer. Another goal is to prepare you to be the champion for security practices on your team. What I've found in both my personal experiences around security and through discussions with others is that for a team to really embrace any sort of culture of security, you need a champion.
Now, this champion can come from anywhere in the team. But in my opinion, the single most effective place for a champion is within the ranks of development. Right or wrong, developers tend to listen to other developers more than anyone else on the team. In addition, forcing culture on a team seldom works. This is why I believe the developer is the single most effective person on the team.
They are listened to and they can be the grassroots driver of change. The third goal that I have is that you become a more effective reviewer. This may sound strange at first, but if you work on a development team, you can only write a portion of the code on your team. So while you may be great at writing code that is more secure, your personal impact in the overall code base is smaller than that of the whole team.
In most teams, several developers are part of the code review or pull request. So your impact can be dramatically increased by simply being engaged in code reviews from a security perspective. Now, if you're not a developer, you may wonder what value this course can have for you. If you are a development manager, you need to understand what your team is doing, what your team is spending time on, and what risks they are trying to resolve.
If you're a project manager or a scrum leader, you also need to know why a development task may take longer because of the security concerns. And if you are a quality assurance or quality control person for a team, you can leverage this knowledge of exploits and attack vectors to write more effective tests. And that's the ultimate challenge, realizing that security has a place for everyone on the development team and embracing it.
- Understanding attackers and risks
- Documenting your risks
- Issues related to web client–server interactions
- Issues related to thick app and client–server interactions
- Authorization and cryptography issues
- Implementing security in each phase of the software development life cycle