Here is my abstract and Introduction...
Abstract
Teaching secure coding in
the Enterprise requires more than giving lectures to programmers about SQL
injection, XSS and string vulnerabilities. It requires a new foundation and
culture to be put in place for the IT Enterprise. This paper describes what
foundation and culture changes need to take place before teaching secure
coding.
Introduction
Despite
technological advancements, software vulnerabilities have continued to grow at
an alarming rate, with the cost of data breaches becoming more significant to
all stakeholders, regardless of if they are public or private, large or
small. Because of the increased cost
this situation has placed on the enterprise, security has moved from firewalls,
IPS, IDC, et al, to include enterprise programmers to create more secure
code. There are many sources, both
online and in print, that have coding guidelines, best practices, suggestions
and tips for creating secure coding; however, as good as this information is,
it is worthless if secure coding practices are not integrated into the
framework of the enterprise. Not
integrating these practices into the framework of the enterprise could result
in the loss of data, compromise to the system, loss of productivity, and
financial loss.
The purpose of this paper is not to
present another secure coding guideline for developers or another methodology
such as Microsoft Trust Computing SDLC or ALM, but rather to show how a layered
approach is necessary so that the complete infrastructure is firmly in place
before the enterprise moves to secure coding.
Part of this layered approach will be emphasizing the need for creating
a culture that will place emphasis on secure coding in the first place. I am well aware that what I am proposing is
not new; it has been suggested before many times. However, what is being taught today in the
field of secure coding does not include the attendant infrastructure that an
engineer would encounter in the real world; in short, secure coding is being
taught in a vacuum, devoid of the complexities of the environment in which it
will operate. My objective for this
paper is to bring teaching secure coding and the practice of creating secure
coding out of the classroom and shows how to integrate it into the software
development lifecycle (SDLC) of the enterprise.
Software development is no longer an individual task; it is now a very
large and complex process involving several teams and team members. Understanding these basic principles and
applying them to the best practices of secure coding is the aim of my paper.
Download entire paper at https://www.dropbox.com/sh/p6kba70j7uaphol/ekkN3FwLn3
