The Principles of Secure Development

Give a man a fish and you feed him for a day.....

.....teach a man to fish and you feed him for a lifetime. I feel this proverb can be applied to the content of most application security guidance projects and to the approaches taken by organisations that are trying to create secure applications. Security professionals have often pointed to such projects as the bible for developers wanting to learn how to develop securely and championed various approaches to secure development but one has to question whether current approaches actually help developers to produce secure software. We have seen the amount of recorded (given a CVE number) SQL Injection and Cross Site Scripting vulnerabilities increase from 8.6% of all vulnerabilities in 2007 to 33.46% in 2008. This growth has not slowed in 2009 with these two vulnerabilities accounting for 35.23% of all vulnerabilities this year so far.

These statistics alone must raise the question of whether the secure development projects are getting their message across to developers; more to the point are these projects getting the right message across? I feel that these projects do a good job of telling developers what problems can occur and how to exploit these flaws but they don’t follow this up with useful guidance on how to develop applications that reduce the chance of these flaws occurring. I think this comes from the fact that the people who contribute to these projects like to be the hacker and often neglect the “boring” work of detailing the preventative measures that developers actually need to know. The work required to detail the preventative measures is tedious but essential, developers would not need to read and interpret multiple lists of “top x” vulnerabilities if they had a clear set of secure development principles. The projects that do detail how to develop securely are often bloated and cover hundreds of pages which still leaves the majority of developers with one question, how do I develop securely? This presentation will teach the audience about the 8 secure development principles I have created which cover all currently known vulnerabilities.