I’ve been a developer for as long as I can remember, but applying secure patterns to my development process took time to evolve. For me it evolved through natural progression, and in a few cases learning through mistake and disaster. My early years as a developer were also the infancy of the internet as we know it. I was exploiting the early flaws of the web well before I was in the position of building an e-commerce website, so as I developed I often thought about what I would do if I were a bad actor, and tried to mitigate against it in my own code.
In today’s day it’s not enough apparently to say, I’ve got 20 years of development experience, trust me, I write secure code. So I went out and got myself certified with the Whitehat Certified Secure Developer program. It’s not an overly complex bit of coursework but I highly recommend it, especially for beginner web app developers who maybe need to exercise a little more caution in their work. This course addresses several of the OWASP Top 10 for developers, and talks about how they work so that you can better understand flaws like SQL Injection, Broken Authentication and Session Management, Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), Insecure Direct Object References, and Missing Function Level Access Control.
So if you are a developer and want to know how you can better secure your code, or if you are a CISO or development lead, consider making all your developers get some learning like this module. Note, this is particularly aimed at web application development… there are other concerns for traditional application development and those can be addressed in some of the other secure developer certifications offered by Whitehat and others, so check it out.