Software
Security Resources
This page contains some useful resources, in alphabetical
order, for those involved primarily in software security.
The list isn't intended to be an endorsement of the
resources, but we have found these to be useful ourselves.
You be your own judge. We should add that we do have a bias
-- in some (but not all) cases, we were contributors to the
various documents and such listed here.
If you would like us to add your resource or recommendation
here, please contact us via email.
Build Security
In
To quote from their web site, "As part of the Software
Assurance program, Build Security In (BSI) is a project of
the Strategic Initiatives Branch of the National Cyber
Security Division (NCSD) of the Department of Homeland
Security (DHS). The Software Engineering Institute (SEI)
was engaged by the NCSD to provide support in the Process
and Technology focus areas of this initiative. The SEI team
and other contributors develop and collect software
assurance and software security information that helps
software developers, architects, and security practitioners
to create secure systems.
BSI content is based on the principle that software
security is fundamentally a software engineering problem
and must be addressed in a systematic way throughout the
software development life cycle. BSI contains and links to
a broad range of best practices, tools, guidelines, rules,
principles, and other knowledge that can be used to build
security into software in every phase of its development."
There's a lot of useful articles out on BSI, and it's
all available to you for
free.
OWASP
To quote from their web site, "The Open Web Application
Security Project (OWASP) is dedicated to finding and
fighting the causes of insecure software. Everything here
is free and open source. The OWASP Foundation is a 501c3
not-for-profit charitable organization that ensures the
ongoing availability and support for our work.
Participation in OWASP is free and open to all." OWASP has
many useful resources for the software security
practitioner including WebGoat, WebScarab, and the JBroFuzz
fuzzing tool. Information about OWASP can be found here.
SecAppDev
To quote from their web site, "Katholieke Universiteit
Leuven organizes an intensive secure application
development course for experienced software practitioners
in partnership with Solvay Business School and L-Sec
(Leuven Security Excellence Consortium)..."
"The course is aimed at software architects, designers,
developers, testers and technical project managers and is
limited to 25 places for optimal interaction. The
first-rate instructors have wide-ranging experience in
academia and industry, are experts in application security
and are commited to interactive teaching. The course
focuses on secure software engineering principles and
techniques for countering threats and vulnerabilities in
today's target environments.
Ken has been on the faculty of SecAppDev since its
inception, and is always happy to be re-invited.
Information about SecAppDev can be found here.
Secure Coding Mailing List
(SC-L)
KRvW Associates sponsors, hosts, and moderates a Secure
Coding discussion forum (known as "SC-L") as a free,
non-commercial service to the community. The membership of
the list will not be used for any commercial purposes
including email, telephone, or other advertising.
Information on SC-L, including subscription/unsubscription
and the group's charter can be found here.
Software Security Summit
Perhaps still the only conference that focuses exclusively
on software security, "S3" is a must-attend for anyone
involved in the field. Ken has been a pretty regular (at
least from a schedule standpoint) speaker at most of the S3
events to date, and is always happy to support this worthy
cause. Info can be found here.
Web Application Security
Consortium
To quote from their web site, "The Web Application Security
Consortium (WASC) is an international group of experts,
industry practitioners, and organizational representatives
who produce open source and widely agreed upon
best-practice security standards for the World Wide Web.
As an active community, WASC facilitates the exchange of
ideas and organizes several industry projects. WASC
consistently releases technical information, contributed
articles, security guidelines, and other useful
documentation. Businesses, educational institutions,
governments, application developers, security
professionals, and software vendors all over the world
utilize our materials to assist with the challenges
presented by web application security."
Like OWASP, their focus is primarily web applications. The
mailing list they run is quite active and well worth taking
a look at. They can be found here.