OWASP-Turkey published in 2010 a check list for web application security which provides various security controls for web application developers and system administrators.

It was planned to create the second version of the check list. I have been involved in the project and within the past 6 months we have worked on the new check list and structured and enhanced the document. Today we have announced the new check list and published it in Excel and PDF formats.

Compared to the first version, the new security check list contains the following enhancements:

• More security controls have been added. The new check list contains now 62 security controls.
• The categorization is now based on OWASP Testing Guide categories.
• Each security control is assigned to a verification requirement of OWASP ASVS (Application Security Verification Standard Project).
• The document has been published in PDF as well as in Excel format. The Excel format provides tool functionality and shows implemented and unimplemented security controls in graphical representations.
• Each security control has a status (Yes, No, Out-of-Scope) flag which is explicitly managed within the Excel tool.
• A Turkish-English terminology of security terms has been added to the document.

Now, our next step is translation into English. I believe the document would be very helpful for anyone (e.g. developer, auditor, security architect, IT architect, system administrator, database administrator, etc.) focusing on security aspects during development and operations of web applications.

You can download the documents from Publications section as well.

I have completed the review of the book “Secure and Resilient Software Development” for IACR (International Association for Cryptologic Research) book review program.

The review can be summarized as follows:

This book is a “must read” resource for security experts focusing on application security and for application designers and developers who need to integrate security into their systems. It provides various aspects of application security for each phase of software development. The authors have practical experience in application security and wrote a practice-oriented book. The chapters are well-structured and arranged in a good logical order. I would strongly recommend this book to security architects, security trainers, application designers and developers. But I would not recommend the book for students who might have less security and development knowledge due to missing real-life project experience. The broad content of the book could be quite complicated for students to follow.

You can download the review from the Publications section as well.

I have recently completed the review of the book “Architecting Secure Software Systems” for IACR (International Association for Cryptologic Research) book review program.

The review can be summarized as follows:

This book focuses on both theoretical and practical aspects of designing secure software systems. While its theory part is quite well-written, its practical part is not well-structured. I would strongly recommend it to people who need to get only an overview of secure software design, but not for security experts who want to study a specific topic in detail.

You can download the review from the Publications section as well.

I will now continue reviewing the book “Secure and Resilient Software Development” as the next one.

I have published an (Turkish) article about secure coding guidelines for Java within OWASP-Turkey Documents. The article aims at helping IT-architects and developers to understand the main security aspects during design and development phases.

The guideline contains generic countermeasures (e.g. Do not write repeated codes) as well as Java-specific countermeasures (e.g. How to use doPrivileged() method in a secure way). It is mainly grouped into the following sections:

• Design
• Confidentiality and Privacy
• Access Control
• Input Validation
• Serialization

The main references for the article are as follows:

• Secure Coding Guidelines for the Java Programming Language, http://java.sun.com/security/seccodeguide.html
• The CERT Oracle Secure Coding Standard for Java,
  https://www.securecoding.cert.org/confluence/display/java/The+CERT+Oracle+Secure+Coding+Standard+for+Java

The article is available in OWASP-Turkey Documents. You can download it in the Publications section as well.

SAMM (Software Assurance Maturity Model) is an OWASP project and provides well-structured strategy and guidelines for integration of security within software development processes.

In the 7th issue of Web Security Magazine managed by OWASP-Turkey, I have written an introduction article to SAMM. In this article, I focused mainly on the following topics:

• What is SAMM and what are the main aims of SAMM?
• How is the structure of SAMM? What are the main components (i.e. business functions, security practices, maturity levels, security activities) of SAMM?
• What are the 4 business functions (i.e. governance, construction, verification, deployment)?
• What are the 12 security practices (i.e. strategy&metrics, policy&compliance, education&guidance, threat assessment, security requirements, security architecture, design review, code review, security testing, vulnerability management, environment hardening, operational establishment)?
• How do you apply SAMM within development projects? What are the main SAMM documents/tools (e.g. assessment worksheet, scorecards, roadmap template)?

The article is in Turkish and you can read it in this link. You can download it as pdf from the Publications section of this blog as well.

If you are interested in SAMM and need more information, I would suggest you visiting the following links:

• SAMM web site: www.opensamm.org
• Detailed structure of SAMM: http://www.opensamm.org/downloads/SAMM-1.0.pdf
• SAMM Assessment Worksheet: http://www.opensamm.org/downloads/resources/20090925-SAMM-Assessment-v0.4.xls
• SAMM Roadmap Template: http://www.opensamm.org/downloads/resources/20090610-Samm-roadmap-chart-template.xls