For the longest time there has always been resource kits for Operating System and other major applications. However, I am now glad to see there is now a Security Resource Kit aimed at Developers. For those wondering why we need a Developer Security Resource kit then maybe these number belows will help to explain the need:
- 75 percent of attacks are occuring at the Application level
- Over 70% of security vulnerabilites now exist at the Application level and not at the Network layer
- 11 of CERT's 13 major security advisors for 2003 are bugs arising from the programming errors in applications and not the OS
It is now being widely reported that the battle between hackers and security professionals have moved away from the Network Layer to the Application layer. This should be of no surprise as we start seeing an significant increase in hacking activites year after year combined with the increased reliant upon the internet and Web Applications.
However, developers have been trained on how to write good production code, but not trained on how to write secure code. There are numerous vulnerabilites in applications that can not fixed by SSL, Firewall or other security defences. Rather these vulnerabilites can only be reduced by writing secure code.
I hope you find this DVD to be invaluable. But remember for all the good practices mentioned, they will only work if your Application Development lifecycle include Security upfront. But do not fall in the pitfall most people do by thinking that QA testing is the same as Security testing, which I will discuss more in my next blog.