Software development teams should follow some guidelines and practices in order to create safe software.
When developing software, you should beware of leaving backdoors or maintenance hooks.
Secure Software Development Frameworks
You can read more about secure software development frameworks on this post.
Software Security Testing Frameworks
You can read more about software security testing frameworks on this post.
Software Bill of Materials (SBOM)
A software bill of materials (SBOM) is a machine-readable list of software’s internal components.
SBOMs are necessary to more easily identify vulnerabilities and understand software supply chains, so that everyone can keep their software systems more secure.
You can read more about SBOM on this post.
Code Review Methods
Code Review Methods:
- Pair programming: live review by a colleague that reviews the code while the other programs.
- Peer review: review by a colleague.
- Team review: review by a team.
- Pass-around reviews: review through e-mail or using a central review system, allowing to do it asynchronously.
- Fanagan inspection: formal review process involving both the team and developer.
Application Security Testing (AST)
You can read more about AST on this post.
Software Secure Coding Standards
Software Secure Coding Standards:
- SANS / CEW Top 25
- OWASP ASVS
- SAFECode
CEW Top 25 Most Dangerous Software Errors
SANS / CEW Top 25 Most Dangerous Sofware errors
OWASP ASVS
OWASP Application Security Verification Standard (ASVS)
It consists of 3 levels of security verification:
- Low assurance level, that can be done entirely through penetration testing
- Most applications
- Critical applications security validation, that requires in-depth validation and testing.
There are controls that only apply to certain levels.
SAFECode
Software Assurance Forum for Exceleence in Code (SAFECode) is a industry group.
SAFECode publishes the SAFECode Fundamental Practices for Secure Software Development. As of 2024, it latest version is Third Edition from 2018.