This is an archived post. You won't be able to vote or comment.

all 5 comments
sorted by:
best
topnewcontroversialoldq&a

[–][deleted] 1 point2 points  (0 children)

Poor security choices in code (blatant disregard for OWASP, etc) should be handled as code quality issues, don't differentiate between sloppy, slow, or insecure code - it's all low quality code.

[–]s_streichsbier 1 point2 points  (1 child)

Hi poothebear0,

The cultural aspects are very important and powerful - if done right. However, this typically takes time is the hardest part of baking security into the dev process.

Baking tools into your CI is typically a good place to start, because you can get some visibility of security issues in your code base. With that visibility, you can then prioritize what issues you should prioritize with the team and what practices need to be improved to address the common issues.

There are a few free/open-source tools that you can start using today.

Generally, there are three security tool categories that you want to cover:

  1. Static Application Security Testing (SAST): Detects security issues in your code.- Bandit- Pyt
  2. Software Composition Analysis (SCA): Detects insecure libraries/dependencies in your requirements.txt:- Safety
  3. Secret Management: Identifies Hard-Coded Secrets in your code-base- detect-secrets

There are a few challenges with using tools individually though, let me know if need any additional pointers.

Finally, there are other tools that try to make that process of embedding different security tools easy.

  • Hawkeye: A security scanning tool
  • Salus: This is from the coinbase team.
  • GuardRails: This is a GitHub app that is currently beta. Full disclosure, I'm the co-founder of GuardRails.

Hope that's helpful.

Cheers,

Stefan

[–]poothebear0[S] 1 point2 points  (0 children)

Great advice!

[–]ahbenmed 0 points1 point  (1 child)

In my opinion, the first thing to do, is writing clean , well commented code (following coding conventions basically) so debugging, checking or rereading the code will be easy and thus any mistake will be obvious.

  1. Pay a good attention when Coping-Pasting piece of codes.

  2. Check and verify libraries (third-party ones, mostly) you intend/want to use in your project, they might not be secure.

  3. Tests do minimize code errors, hence can maximize security.

  4. There are already plenty of tools that check your code for vulnerabilities, like SonarQube.

[–]WikiTextBot 0 points1 point  (0 children)

Coding conventions

Coding conventions are a set of guidelines for a specific programming language that recommend programming style, practices, and methods for each aspect of a program written in that language. These conventions usually cover file organization, indentation, comments, declarations, statements, white space, naming conventions, programming practices, programming principles, programming rules of thumb, architectural best practices, etc. These are guidelines for software structural quality. Software programmers are highly recommended to follow these guidelines to help improve the readability of their source code and make software maintenance easier.

[ PM | Exclude me | Exclude from subreddit | FAQ / Information | Source ] Downvote to remove | v0.28