The application of security software engineering techniques in the whole systems development lifecycle resulting in software that is secure by default.
Complete the AWS Well-Architected security labs
The AWS Well-Architected Framework describes key concepts, design principles, and architectural best practices for designing and running workloads in the cloud. Security is one element of the Well-Architected Framework. Amazon provide practical labs covering the different pillars within the Well-Architected Framework. These allow you to learn by doing, with code and documentation to help you.
Explore AppSec Map
enso.security's AppSec Map provides a quick overview of different elements of an AppSec programme and some of the offerings which can help an organisation provide each element of the programme.
Explore the National Vulnerability Database
The NVD is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. The NVD includes databases of security checklist references, security-related software flaws, misconfigurations, product names, and impact metrics.
Explore the security section of Azure's Well-Architected Framework
The Azure Well-Architected Framework is a set of guidance that helps you improve how you build and deploy your application on Microsoft's Azure cloud platform. Security is one pillar within the Well-Architected Framework.
Learn about CWEs
CWE is a community-developed list of software and hardware weakness types. It serves as a common language, a measuring stick for security tools, and as a baseline for weakness identification, mitigation, and prevention efforts.
Learn about STRIDE
STRIDE is a model for identifying computer security threats developed by Praerit Garg and Loren Kohnfelder at Microsoft. It provides a mnemonic for security threats in six categories: Spoofing Tampering Repudiation Information disclosure (privacy breach or data leak) Denial of service Elevation of privilege
Play around with Objective-See's macOS security tools
Objective-See is a non-profit that creates simple, effective macOS security tools. Their tools are free and open-source.
Play the Citadel Programming Lab from CyBOK
The Citadel Programming Lab is an online virtual secure coding game-based computer lab. The Lab combines a tower defence game with 6 security programming tasks. The lab is based on a serious game approach to join learning and playfulness. The lab’s platform combines a Unity game linked with a coding environment based on an instance of GitLab. The game elements and coding exercises are linked to CyBOK, the Cybersecurity Body of Knowledge, to map its cybersecurity content.
Play the Elevation of Privilege game
Elevation of Privilege (EoP) is the easy way to get started threat modeling. It is a card game that developers, architects or security experts can play.
Read about building a product security programme from scratch
Read about one person's experience creating product security programme's from scratch.
Read a penetration test report
A penetration test is an authorized simulated cyberattack on a computer system, performed to evaluate the security of the system. The findings are usually documented in penetration test report which organisations use to fix issues and improve their internal vulnerability assessment and management processes.
Read a Project Zero write up
Project Zero is a team of security analysts employed by Google tasked with finding zero-day vulnerabilities. They provide comprehensive write-ups of the vulnerabilities they discover, and their work to work with the wide community to remediate them.
Read a VUSec publication
VUSec is the Systems and Network Security Group at Vrije Universiteit Amsterdam. Their research covers all aspects of system-level security and reliability, including topics such as software hardening, exploitation, binary analysis, dependable systems, software testing, side channels, and reverse engineering.
Read The Art of Mac Malware
The "Art of Mac Malware" was created to provide a comprehensive resource about threats targeting Apple's desktop OS. Dedicated to the community, it is a culmination of over a decade of macOS security research.
Read the CWE Most Important Hardware Weaknesses
The CWE™ Most Important Hardware Weaknesses is the result of collaboration within the Hardware CWE Special Interest Group (SIG). Its intent is to drive awareness of common hardware weaknesses and prevent hardware security issues at the source by educating designers and programmers on how to eliminate important mistakes early in the product development lifecycle.
Read the CyBOK Secure Software Lifecycle Knowledge Area introduction
The Cyber Security Body Of Knowledge is a comprehensive Body of Knowledge to inform and underpin education and professional training for the cyber security sector. The CyBOK project aims to bring cyber security into line with the more established sciences by distilling knowledge from major internationally-recognised experts to form a Cyber Security Body of Knowledge that will provide much-needed foundations for this emerging topic. The project, funded by the National Cyber Security Programme, is led by the University of Bristol's Professor Awais Rashid, along with other leading cyber security experts - including Professor Andrew Martin, Professor Steve Schneider, Dr Yulia Cherdantseva, Dr Rod Chapman and Dr Marina Krotofil.
Read the OWASP Application Security Verification Standard (ASVS)
The OWASP Application Security Verification Standard (ASVS) Project provides a basis for testing web application technical security controls and also provides developers with a list of requirements for secure development. The primary aim of the OWASP Application Security Verification Standard (ASVS) Project is to normalize the range in the coverage and level of rigor available in the market when it comes to performing Web application security verification using a commercially-workable open standard. The standard provides a basis for testing application technical security controls, as well as any technical security controls in the environment, that are relied on to protect against vulnerabilities such as Cross-Site Scripting (XSS) and SQL injection. This standard can be used to establish a level of confidence in the security of Web applications.
Read the OWASP Top 10
The OWASP Top 10 is a standard awareness document for developers and web application security. It represents a broad consensus about the most critical security risks to web applications.
Setup a continuous integration (CI) build
Continuous integration (CI) is automatically integrating and building code changes from multiple contributors into a single software build. For example, a build may be produced every time a developer pushes code to a source control repository.
Setup dependabot on a GitHub project
Dependabot provides automated dependency updates. It is built into GitHub and makes keeping your dependencies up to date quick and easy.
Try using Tetragon
Tetragon is a runtime security enforcement and observability tool. Tetragon applies policy and filtering directly in eBPF in the kernel.
Use Cairis to create personas and model data flow
CAIRIS stands for Computer Aided Integration of Requirements and Information Security. It is an open source platform for eliciting, specifying, and validating secure and usable systems. It was built from the ground up to support all the elements necessary for usability, requirements, and risk analysis.
Write a CMakelists.txt to build a simple binary using CMake
CMake is an open-source, cross-platform family of tools designed to build, test and package software. CMake is used to control the software compilation process using simple platform and compiler independent configuration files, and generate native makefiles and workspaces that can be used in the compiler environment of your choice.