In my previous post, I did mention the web application security check list for auditors. The check list has been now translated into English. For the details, see the Google project site.

I have completed the review of the book “Secure and Resilient Software Development” for IACR (International Association for Cryptologic Research) book review program.

The review can be summarized as follows:

This book is a “must read” resource for security experts focusing on application security and for application designers and developers who need to integrate security into their systems. It provides various aspects of application security for each phase of software development. The authors have practical experience in application security and wrote a practice-oriented book. The chapters are well-structured and arranged in a good logical order. I would strongly recommend this book to security architects, security trainers, application designers and developers. But I would not recommend the book for students who might have less security and development knowledge due to missing real-life project experience. The broad content of the book could be quite complicated for students to follow.

You can download the review from the Publications section as well.

I have recently completed the review of the book “Architecting Secure Software Systems” for IACR (International Association for Cryptologic Research) book review program.

The review can be summarized as follows:

This book focuses on both theoretical and practical aspects of designing secure software systems. While its theory part is quite well-written, its practical part is not well-structured. I would strongly recommend it to people who need to get only an overview of secure software design, but not for security experts who want to study a specific topic in detail.

You can download the review from the Publications section as well.

I will now continue reviewing the book “Secure and Resilient Software Development” as the next one.

I have published an (Turkish) article about secure coding guidelines for Java within OWASP-Turkey Documents. The article aims at helping IT-architects and developers to understand the main security aspects during design and development phases.

The guideline contains generic countermeasures (e.g. Do not write repeated codes) as well as Java-specific countermeasures (e.g. How to use doPrivileged() method in a secure way). It is mainly grouped into the following sections:

• Design
• Confidentiality and Privacy
• Access Control
• Input Validation
• Serialization

The main references for the article are as follows:

• Secure Coding Guidelines for the Java Programming Language, http://java.sun.com/security/seccodeguide.html
• The CERT Oracle Secure Coding Standard for Java,
  https://www.securecoding.cert.org/confluence/display/java/The+CERT+Oracle+Secure+Coding+Standard+for+Java

The article is available in OWASP-Turkey Documents. You can download it in the Publications section as well.

SAMM (Software Assurance Maturity Model) is an OWASP project and provides well-structured strategy and guidelines for integration of security within software development processes.

In the 7th issue of Web Security Magazine managed by OWASP-Turkey, I have written an introduction article to SAMM. In this article, I focused mainly on the following topics:

• What is SAMM and what are the main aims of SAMM?
• How is the structure of SAMM? What are the main components (i.e. business functions, security practices, maturity levels, security activities) of SAMM?
• What are the 4 business functions (i.e. governance, construction, verification, deployment)?
• What are the 12 security practices (i.e. strategy&metrics, policy&compliance, education&guidance, threat assessment, security requirements, security architecture, design review, code review, security testing, vulnerability management, environment hardening, operational establishment)?
• How do you apply SAMM within development projects? What are the main SAMM documents/tools (e.g. assessment worksheet, scorecards, roadmap template)?

The article is in Turkish and you can read it in this link. You can download it as pdf from the Publications section of this blog as well.

If you are interested in SAMM and need more information, I would suggest you visiting the following links:

• SAMM web site: www.opensamm.org
• Detailed structure of SAMM: http://www.opensamm.org/downloads/SAMM-1.0.pdf
• SAMM Assessment Worksheet: http://www.opensamm.org/downloads/resources/20090925-SAMM-Assessment-v0.4.xls
• SAMM Roadmap Template: http://www.opensamm.org/downloads/resources/20090610-Samm-roadmap-chart-template.xls