Principles to keep in mind if you want your applications to be secure:
- Never trust any input!
- Validate input from all untrusted sources – use whitelists not blacklists
- Plan for security from the start – it’s not something you can bolt on at the end
- Keep it simple – complexity increases the likelihood of security holes
- Keep your attack surface to a minimum
- Make sure you fail securely
- Use defence in depth
- Adhere to the principle of least privilege
- Use threat modelling
- Compartmentalize – so your system is not all or nothing
- Hiding secrets is hard – and secrets hidden in code won’t stay secret for long
- Don’t write your own crypto
- Using crypto doesn’t mean you’re secure (attackers will look for a weaker link)
- Be aware of buffer overflows and how to protect against them
There are some excellent books and articles online about making your applications secure:
- Writing Secure Code 2nd Edition – I think every programmer should read this
- Building Secure Software: How to Avoid Security Problems the Right Way
- Secure Programming Cookbook
- Exploiting Software
- Security Engineering – an excellent read
- Secure Programming for Linux and Unix HOWTO
Train your developers on application security best pratices
Codebashing (paid)
Security Innovation(paid)
Security Compass (paid)
OWASP WebGoat (free)