Resources – Application Security For All

Pointers to specific commercial and non-commercial material are provided at the risk of errors of omission. This is a very active field; it is likely impossible to develop comprehensive lists and such an attempt would distract from the ‘program level’ message of this site. The material is therefore presented in the spirit of “there is lots more where this came from.” The reader is urged to use Web search tools to look for additional resources that may better meet your needs.

Informational Web Sites

https://owasp.org OWASP (Open Web Application Security Project) is an important ‘original’ source of unbiased information and guidance about application security. Their focus, as the name suggests is on Web applications, but the lessons are generally applicable. OWASP is best known for the “top 10” lists but there is a lot more beyond that. Many commercial tools, services, and training build on OWASP and OWASP itself makes several useful tools available.
https://nvd.nist.gov The US National Vulnerability Database is the leading source for ‘published’ vulnerabilities. Many tools leverage automated feeds from this database to help identify vulnerable software.
https://nvd.nist.gov/vuln-metrics/cvss. This is the authority on vulnerability scoring rules. A good understanding is foundational for the creation of a vulnerability response policy.
https://www.nist.gov/publications/mitigating-risk-software-vulnerabilities-adopting-secure-software-development-framework. Also note the new draft: Draft NIST SP 800-218, Secure Software Development Framework (SSDF) Version 1.1: Recommendations for Mitigating the Risk of Software Vulnerabilities.
https://www.nist.gov/publications More generally, the NIST publication site has quite a number of security related publications.
https://www.bsa.org/files/reports/bsa_framework_secure_software_update_2020.pdf.
https://www.cisecurity.org/. CIS focuses more on OS configuration considerations and less on underlying application security.
https://www.microsoft.com/en-us/securityengineering. A pointer to Microsoft SDL and related information.
https://www.bsimm.com/
Security Pillar – AWS Well-Architected Framework – Security Pillar (amazon.com)

Tools

Static Code Analysis

List of tools for static code analysis – Wikipedia. This site provides a extensive listing of available open source and commercial static analysis tools. The site does not provide a lot of guidance on tool’s security prowess. The number of tools listed is impressive, but the presentation should not be taken as conclusive. For example it does not include Fortify and it does not call out SonarCube in its Java subsection.
Best Static Code Analysis Tools in 2021 | Compare Reviews on 80+ | G2. This also provides an extensive listing of tools with a bit more focus on trying to rate them. The related page: Best Static Application Security Testing (SAST) Software in 2021 | G2 is similar and covers many of the same tools.
The Fortify Static analysis tool is a legacy commercial tool originally developed by HP. Static Code Analyzer | Static Code Analysis Security | CyberRes (microfocus.com). The tool supports a large number of languages and boast substantial security capabilities.
The Coverity analysis tool is a legacy commercial tool originally developed by Coverity corporation (now a part of Synopsys). Coverity SAST Software | Synopsys. The tool supports a large number of languages and boasts substantial security capabilities.
The Sonar family of analysis tools: Code Quality and Code Security | Developers First | SonarSource is a combined open-source/commercial model. Unlike many other tools marketed in this fashion, the open-source capabilities are quite robust – especially for Java and Java-based languages.
The Veracode static analysis tool was designed from the ground up with a security focus: Static Analysis (SAST) | Veracode. Depending on the language being scanned it uses either debug images or source code as input.
TSLint/ESLint. TSLint is the original Typescript Linting framework. It has been deprecated in favor of ESLint: GitHub – typescript-eslint/typescript-eslint: Monorepo for all the tooling which enables ESLint to support TypeScript. It is presented here as an example of the excellent language specific solutions that often exist.

Software Composition Analysis

Best Software Composition Analysis Tools in 2021 | G2. This site reviews a large number of available solutions.
The Blackduck scanner was originally developed by Blackduck corporation who has since been acquired by Synopsys: Black Duck Software Composition Analysis (SCA) | Synopsys. This scanner takes a number of different types of artifacts as input ranging from complete binary images to code snippets.
The Whitesource scanner: Our Technology | WhiteSource Software identifies components based first on matching SHA1 values, then it reverts to various heuristics including SHA1 matches of individual source files. This scanner does not concern itself with code snippets.

Security Scanners

Best Vulnerability Scanner Software in 2021: Compare Reviews on 80+ | G2 reviews of a number of different vulnerability scanners.
The Qualys scanner: Vulnerability Management | Qualys, Inc. considers both the system from both an OS and an application perspective as it also has support for dynamic web app scanning.
The Nessus scanner: https://www.tenable.com/products/nessus/nessus-professional has the one of the longest pedigrees. It focuses on the system from the OS perspective looking for malware, installed packages, open ports etc.

Dynamic Application Security Testing Tools

Best Dynamic Application Security Testing (DAST) Software in 2021 | G2 reviews a number of different DAST tools.
Burpsuite: Burp Suite – Application Security Testing Software – PortSwigger is not present on the list above, but it probably should be. A limited community edition is extended by several commercial variants.

Training

There are a few vendors with focused but yet comprehensive application security material. For example:

You may find that one of these vendors can provide a one stop shop for application security training – especially if you are just kicking off a program.

Application security training is also available from a wide range of other free and commercial sources. All of the major commercial e-learning platforms have training in this space, but since their offerings tend to a lot broader you often need to search for what you want.

Security Services

There are many many security vendors as we can see from this list: https://www.g2.com/categories/cybersecurity-consulting (close to 200 vendors) .
This list seems to boil it down to a bit more manageable level: Top Application Security Vendors for 2021 | eSecurity Planet (10 vendors with a number of familiar faces.)

These vendors generally have a portfolio of skills that can be applied to various needs such as:

Vulnerability Assessment & Penetration Testing
Threat modeling
Process review and improvement

Security Vendors

Top Application Security Vendors for 2021 | eSecurity Planet briefly repeats the portfolio statements for a number of different vendors. Two of them stand out for particularly broad portfolios (wide range of tools, Training, Consulting Services). If you are putting together a vendor selection matrix for a specific need, they can probably get you started with one or two columns:

Synopsys: Synopsys Software Integrity
Veracode: Veracode

Text Books

Secure Coding in C and C++, Robert C. Seacord. This textbook dives into the details of potential vulnerabilities in the C and C++ code that underlies the Linux operating system and many other important software systems. The depth and breadth of material make it a logical next step in training after available commercial web-based training; as a bonus the reader is almost certain to gain a better understanding of the languages themselves.
Writing Secure Code, Second Edition, Michael Howard and David LeBlanc. This book was originally published 20 years ago, but most of the material is as relevant today as it was then. The book covers ‘code-level’ issues but also lots of concerns at the design level. Coming out of Microsoft in the early 2000’s it is a bit MS-Windows centric in the examples. It is a “security classic;” something that security oriented professionals will appreciate. Today, it may not make sense to recommend it to a wider staff (as Microsoft did shortly after it was written).
The Security Development Lifecycle, Michael Howard. This excellent book introduced the Microsoft SDL to the outside world. The book is still available on the used market but unfortunately it is no longer in print. Fortunately Microsoft makes this material and much more available at their SDL site: https://www.microsoft.com/en-us/securityengineering/sdl
Cryptography and Network Security – Principles and Practice, William Stallings. This dense book is written in a fashion consistent with use in an upper or graduate level college course. It provides a strong background in Cryptography.
Threat Modeling: Designing for Security, Adam Shostack. This book out of Microsoft focuses on the STRIDE approach to threat modeling. The book does an excellent job of motivating threat modeling and then walking the reader through the mechanics of actually doing it. The material builds on the earlier presentation of threat modeling in Writing Secure Code. Microsoft has quite a lot of material on-line supporting it: https://www.microsoft.com/en-us/securityengineering/sdl/threatmodeling
Mastering Kali Linux for Advanced Penetration Testing – Third Edition, Vijay Kumar and Robert Beggs. This book is representative of a number of books on penetration testing (there is also a small industry creating pen-testing courseware). None of this material is going to make one a pen-testing expert but it does provide a good sense of the tools available to the offense and the basic approach to be followed.
Linux Forensics – with Python and Shell scripting, Dr. Philip Polstra. This book provides a reasonable overview of forensic mechanics.
Mastering Linux Security and Hardening: Protect your Linux System from malware attacks and other cyber threats – 2nd Edition, Donald A Tevault. This book reviews the many things that can be done to harden the OS. Much of this is configuration of the OS itself but some of it also impacts applications written on top of the OS.
Iron Clad Java: Building Secure Web Applications, Jim Manico and August Detlefen. This book is roughly the Java counterpart to Secure coding in C and C++.