Building Secure Web Applications

To answer the question of Thomas Herlea, see comment on my first post below, I will try to describe what is needed when you want to start with a software security initiative.

First of all: don't call it a software security initiative, it will scare people, especially at C-level :)

If you are developing software solutions and get paid for doing that, implementing a software security initiative sounds very expensive and you don't want that. Because you will never get the budget improved. A better approach would be to call it "quality assurance" because security is an inherent part of quality but we have to remove the marketing BS contaminating the security industry.

Security can be implemented using common sense, without spending a dime. But this requires a robust infrastructure and development framework. And this defines the problem and also the solution to start with a software security initiative: 

1. Don't rely on security controls to protect your application. Forget about firewalls, intrusion detection, anti-virus and HTTPS. Your application should be able to run secure out-of-the-box
2. Stick with what you know best. If you are a .NET shop, don't install an open-source PHP application on Linux, it will fail. And vice-versa!
3. Define some basic guidelines, based on the OWASP Top 10 that will work for your environment. So you need to translate the OWASP Top 10 risks to something that is understood and workable for the development team. Everybody knows that Cross-site-scripting and SQL Injections are dangerous, but most people don't know how to code avoiding these vulnerabilities so make sure that you inform them with real examples.
4. You don't need the Building Security In Maturity Model or the OWASP Application Security Verification Standard if you are not a security expert. This is for already established security initiatives that need the "are we going in the right direction" feeling.
5. Security is about pro-active thinking (risk analysis) and reactive incident response in case of events. 

Writing this really helps to define the first outline of the book:

• How to convince your C-Level that you need to do something
• How to use OWASP, WASC and vendor-related security documents
• Straightforward guidelines for the most used frameworks like Java, .NET and PHP
• An easy to install and configure security architecture based on open-source solutions like ModSecurity, Pfsense & Nagios to detect and block attacks against your web applications

Yes indeed, let's get started. First of all: this is not a real blog but the first page of a new initiative: "Building Secure Web Applications" (BSWA) is born. The main purpose of BSWA is to create an e-book where the content will be created following the interests and problems of the readers, that is YOU!!!

If you want to know how to build a secure web application but you don't know where to start and you don't have time to google it, just ask me. I will make sure that there is a consistent structure in the book, that all your question get answered with practical and hands-on information and not only marketing BS and silver bullets. And I will discuss code too, in all possible frameworks and languages. I have seen so much code in the last 10 years in different languages like ASP, ASP.NET, Java, C, C++, PHP, Coldfusion and Ruby that I can help with defeating malicious hackers, comment spammers and malware targeting your web applications.

This book will be a living project and will be available in an online version only. But first, let me know what you want to build and what your concerns are. Leave your comments below and I start writing...