views:

134

answers:

3

The company that I work for is redeveloping an in-house product for external use.

The product will initially be developed in C# using WPF, then ported to Silverlight.

One of the focus points is coding against malicious attacks e.g. SQL injection etc.

Questions:

  1. Can anyone recommend URLs pointing to articles on security 'best practices'.
  2. Can anyone recommend an analysis tool for analysing the code to identify weaknesses. We would, if possible, like to include the tool in our continuous integration scripts.

Many thanks ...

+3  A: 

The best resource I've found is here:

http://www.owasp.org/index.php/Main_Page

Within that site, I would start here:

http://www.owasp.org/index.php/Top_10_2007

The top 10 is for web site vulnerabilities, but the concepts apply to all types of apps. In my personal opinion, you really can't do better for a starting point when it comes to learning about secure coding.

This site provides best practices, tools, and really makes everything understandable regardless of your skill level.

*Added *

Another good resource is the MSDN documentation, since your question is tagged as C#.

http://msdn.microsoft.com/en-us/library/ms998408.aspx

David Stratton
+1  A: 

Try the following article on MSDN: Security (How Do I in C#).

Dan Diplo
+1 - good resource!
David Stratton
The article pointed me to Microsoft's security webpage [http://msdn.microsoft.com/en-us/security/default.aspx] and their SDL - plus tools for testing. Just what I was looking for. Many thanks !
+1  A: 

I guess starting with secure development would mean three steps:

Identify and understand the big picture: what may go wrong

This means understanding the technical aspects of a vulnerability and how it helps making things go wrong.

Typically, I'd go with the OWASP's Top 10 web application security vulnerabilities (google: owasp top 10 2007).

If you don't understand it, then, please, ask for guidance. Understanding such a document doesn't directly tells you how to build secure code but it is a good indicator on your level of understanding on secure development.

Find good general practices that lead to secure development

While many documents tell you how things may go wrong, few resources actually tell you how to avoid them in a general way.

Currently, I'd mostly recommend these resources:

  • David Rook's "Secure Development principles" (google: david rook principles of secure development)
  • OWASP's Top 10 vulnerabilities protection section pages (each entry is clickable on the online version of the Top 10)

Find resources tailored for your technology

Get access to resources that tell you "how to do this" in a language that you speak. Typically, C#. The MSDN portal provides developers with many security checklists (http://msdn.microsoft.com/en-us/library/ms998408.aspx).

Finally, get into it: connect to regular input on application security, find blogs, read news (build Google alerts with some vulnerabilities names or words such as 'application security' or 'secure development') and see what happens.

Hope it helps.

sb

PS: sorry for the 'google' links, I am a new user and can only post 1 url in my answers :(

Starbuck