Security for Developers

00:00

for less than 3.4. We're gonna talk about providing some security to the developers to help them again. Give them some knowledge, get them toe about how to write secure code. But also tell them about this is what we're gonna be performing these the tools we're gonna use to give them a chance to fix bugs before they even get to the security testing portion.

00:22

The lesson objectives. We're gonna list some of the i D plug ins to help improve secure coding,

00:28

describe the need for coding standards, take a look at some certifications for developers and critique the need for contract enforcement for development projects.

00:39

So before coding even begins,

00:42

would be interested is to have

00:44

I d plug ins that go into in the development environment. So there's ones like spot bugs for Java.

00:52

Puma scan for dot net sonar Linz there that there's all these ones so that it's as their developer and writing code riel time. They're getting feedback, saying a. There's a bug here. There's something need to take a look at.

01:04

Another component. Might be

01:07

that's needed is coding standards. So especially when you want to report ah, vulnerability, you can map it to the standards so that and you can stay abroad, the of the standard we're gonna judge you by so that they know when you report something, you map it that has some teeth to it.

01:25

So Carnegie Mellon has this software engineering institute. They have some standards. A wasp has a secure coding practices

01:33

and is a nest s STF requirement to the pita. We got seven

01:38

to have the code review procedures. So,

01:42

for example, ah, process for developers to review the code, some collaboration so that peers can review each other's code to find bugs. You don't have just one person writing the code,

01:53

and then the document, the lessons learned so that

01:57

the same mistakes don't aren't keep

02:00

are being repeated over and over again by the same developer or across the whole development team.

02:07

Me?

02:08

So here's some of the training certifications that may be helpful. There secure secure coding exercises like Range Force Co bashing each other. They provide the scenarios to go through some testing. So you could they concede these vulnerabilities and how to actually fix them into code, or how the bugs get in there and how toe said,

02:29

actually,

02:30

right in a secure fashion,

02:31

there's some certifications. Santa's secure coding secure Dev ops. A couple different ones. Carnegie Mellon again, again from the certain has secure coding for Java sea. They have engineering software. Assurance

02:45

I C squared has the S R. C s slp different certifications out there that could help,

02:52

um,

02:53

developers understand how to write or secure code.

02:57

And then these things could also be used in contracting. If you say

03:00

the developer must have these certifications if they want to work on this project,

03:07

I have a question. No one of these. Have you ever had problems explaining security to developers?

03:16

I'm not really gonna answer this because it's gets border you think about. But was he was a problem. You were not using same terminology. Maybe, uh, do you not understand each other? Concepts would would have helped if Dev and Ops had some security knowledge.

03:32

So kind of these think about maybe these were the problems. And maybe some of these concept that we explain could have helped.

03:42

And I mentioned this already, but contract enforcement may be helped the organization

03:49

I've seen some of these before. They just say you must write secure code and shouldn't be any bugs.

03:53

That doesn't really mean anything. It's no bugs it it just got a fluffy language. So you need to specify requirement to fix. So

04:04

ah, sweet, specific timeline for mitigation. Again, If we met back to these coding standards, you could say the no bugs according to this standard

04:14

and to find the use of third party libraries. We've talked about that some vulnerability and third party libraries and specify that these are part of Thesiger your coding and that they need to be patched along

04:24

with any bugs that are found.

04:27

Um, again, you could possibly require some certifications or some

04:32

some major or some people within the development team has to have it or certain number of people.

04:42

The summary For this We talked about teaching security concepts to developers and giving them the tools they need to write secure code.