Last week, I grumbled over the fact that a student can graduate with a Computer Science and Software Engineering degree and had zero exposure to software security . Huh?  Doesn’t our society and business literally run on...

For years everyone from Mary Ann Davidson (CSO or Oracle) to OWASP to DHS (in their “Build Security In” initiative with SEI) have been bemoaning the fact that our universities do not adequately train software engineering...

Identify Security Objectives for Applications

by Serge Truth on December 17, 2010 at 9:58 AM

When developing an application, it is best to define security objectives and requirements early in the process. Security objectives are goals and constraints that affect the confidentiality, integrity, and availability of...

Centralize Error Handling

by Serge Truth on December 16, 2010 at 10:00 AM

Write a class or library dedicated to error handling. Centralized error handling is easier to test and implement correctly. Handling errors is important for security, so better error handling improves security. Perform the...

Assume All Web Application Input is Malicious

by Serge Truth on December 15, 2010 at 10:02 AM

What to Do

Applications should assume that all of their input is malicious, and take action accordingly. Input should be validated and either rejected or sanitized immediately, carefully quarantined during use, and...

Centralize Input Validation

by Serge Truth on December 14, 2010 at 10:03 AM

Centralizing input validation helps ensure that data is validated in a consistent way throughout the application and provides a single point of maintenance. Perform the following steps to assure that all input is...