Time
4 hours 39 minutes
Difficulty
Beginner
CEU/CPE
5

Video Transcription

00:00
for less than 3.4. We're gonna talk about providing some security to the developers to help them again. Give them some knowledge, get them toe about how to write secure code. But also tell them about this is what we're gonna be performing these the tools we're gonna use to give them a chance to fix bugs before they even get to the security testing portion.
00:22
The lesson objectives. We're gonna list some of the i D plug ins to help improve secure coding,
00:28
describe the need for coding standards, take a look at some certifications for developers and critique the need for contract enforcement for development projects.
00:39
So before coding even begins,
00:42
would be interested is to have
00:44
I d plug ins that go into in the development environment. So there's ones like spot bugs for Java.
00:52
Puma scan for dot net sonar Linz there that there's all these ones so that it's as their developer and writing code riel time. They're getting feedback, saying a. There's a bug here. There's something need to take a look at.
01:04
Another component. Might be
01:07
that's needed is coding standards. So especially when you want to report ah, vulnerability, you can map it to the standards so that and you can stay abroad, the of the standard we're gonna judge you by so that they know when you report something, you map it that has some teeth to it.
01:25
So Carnegie Mellon has this software engineering institute. They have some standards. A wasp has a secure coding practices
01:33
and is a nest s STF requirement to the pita. We got seven
01:38
to have the code review procedures. So,
01:42
for example, ah, process for developers to review the code, some collaboration so that peers can review each other's code to find bugs. You don't have just one person writing the code,
01:53
and then the document, the lessons learned so that
01:57
the same mistakes don't aren't keep
02:00
are being repeated over and over again by the same developer or across the whole development team.
02:07
Me?
02:08
So here's some of the training certifications that may be helpful. There secure secure coding exercises like Range Force Co bashing each other. They provide the scenarios to go through some testing. So you could they concede these vulnerabilities and how to actually fix them into code, or how the bugs get in there and how toe said,
02:29
actually,
02:30
right in a secure fashion,
02:31
there's some certifications. Santa's secure coding secure Dev ops. A couple different ones. Carnegie Mellon again, again from the certain has secure coding for Java sea. They have engineering software. Assurance
02:45
I C squared has the S R. C s slp different certifications out there that could help,
02:52
um,
02:53
developers understand how to write or secure code.
02:57
And then these things could also be used in contracting. If you say
03:00
the developer must have these certifications if they want to work on this project,
03:07
I have a question. No one of these. Have you ever had problems explaining security to developers?
03:16
I'm not really gonna answer this because it's gets border you think about. But was he was a problem. You were not using same terminology. Maybe, uh, do you not understand each other? Concepts would would have helped if Dev and Ops had some security knowledge.
03:32
So kind of these think about maybe these were the problems. And maybe some of these concept that we explain could have helped.
03:42
And I mentioned this already, but contract enforcement may be helped the organization
03:49
I've seen some of these before. They just say you must write secure code and shouldn't be any bugs.
03:53
That doesn't really mean anything. It's no bugs it it just got a fluffy language. So you need to specify requirement to fix. So
04:04
ah, sweet, specific timeline for mitigation. Again, If we met back to these coding standards, you could say the no bugs according to this standard
04:14
and to find the use of third party libraries. We've talked about that some vulnerability and third party libraries and specify that these are part of Thesiger your coding and that they need to be patched along
04:24
with any bugs that are found.
04:27
Um, again, you could possibly require some certifications or some
04:32
some major or some people within the development team has to have it or certain number of people.
04:42
The summary For this We talked about teaching security concepts to developers and giving them the tools they need to write secure code.
04:49
And in the next module started. Next lesson, all demo spot bugs, which is this concept of if the plug in in the i D. That gives them real time feedback, so it should be really interesting lesson

Up Next

DevSecOps Fundamentals

DevSecOps certification training helps students learn to incorporate security features in every step of the development process and navigate distinct security challenges in custom software and web applications.

Instructed By

Instructor Profile Image
Philip Kulp
Instructor