| Web application security and the PCI DSS
Web application firewalls and code reviews, detailed, manual, automatic or otherwise, are good components of an application security program. They are not, however, the only components. Experts stress that security must be integrated into the entire software development lifecycle.
Tip: Secure software measures: Their strengths and limitations: Greg Reber evaluates security processes in depth, including the methods recommended by requirement 6.6. Like most application security experts, he recommends a holistic approach to security.
Tip: Web application hacking: Inside the mind of an attacker: App security expert Kevin Beaver emphasizes that a malicious mindset is the key to a good security analysis. He includes many specific examples where security professionals may apply this technique.
Tip: Secure SDLC: Integrating security into your software development lifecycle: This is a heavily detailed and hyperlinked guide from Anurag Agarwal that explains how organizations can incorporate security practices into their SDLC.
Article: Application security shouldn't involve duct tape, Band-Aids or bubble gum: Application security involves integrating security into the SDLC. And it involves security professionals, risk mitigation, and data protection, at least. Joe Basirico breaks the development lifecycle down by phase: requirements gathering, requirements authoring, design, development, testing, release, and documentation.
Expert advice: Web application security testing basics: Expert Dan Cornell breaks down security testing techniques, how to use them, what they do, and when they are applicable.
Learning Guide: Application security testing techniques: This guide covers the major app sec testing techniques, such as vulnerability assessment, penetration testing, fuzz testing, obfuscation and, of course, source code analysis.
Expert advice: Application security careers have bright future: Dan Cornell explains why application security professionals are going to be needed in greater numbers than ever before.
Tip: Writing software requirements that address security issues: The requirements phase is the first opportunity for integration of security in the SDLC. Kevin Beaver outlines how to approach this process.
Send in your suggestions
Are there other topics you'd like to see learning guides on? Send associate editor Jennette Mullaney an e-mail at firstname.lastname@example.org and let her know what they are.
Dig deeper on Building security into the SDLC (Software development life cycle)