Keep things Simple
Secure development education does not need to be complicated nor does it need to explain specific vulnerabilities. That last point might seem like an alien concept to some people but we have recently been asking several experienced developers and security professionals whether developers need to understand specific vulnerabilities. We don’t think teaching developers about specific vulnerabilities is the most effective way to reach the goal of secure development. Knowledge of the intricate details of attacks such as SQL Injection is a place where a developer’s education should evolve to yet almost all education efforts begin here.
This is certainly an area that would benefit greatly from the KISS principle (Keep It Short and Simple) and avoiding unnecessary complexity. The three most popular “top x” lists have 45 vulnerabilities listed between them, 42 of them have unique names despite the fact they do not represent 42 individual vulnerabilities. This only increases confusion and uncertainty instead of clearly detailing how one should build a secure application.
With the above paragraphs in mind we have attempted to take on the challenge of providing clarity around the issue of secure development by creating a set of secure development principles.
We have analysed many vulnerabilities and have created a set of secure development principles which we feel will prevent the large majority of them. These principles are listed in the drop-down menu under Secure Developments above and we will elaborate on each of them in each of the sub pages of this section.