Thomas Konrad

Software Security 101: Secure Coding Basics

What's the biggest security risk in your application? It might not be the code you actually wrote.

Software Security 101: Secure Coding Basics
#1about 15 minutes

Understanding core software security principles and terminology

Key concepts like the CIA triad, technical debt, and design principles provide a shared language for discussing security.

#2about 19 minutes

Evaluating programming languages for security features

Criteria like memory safety, type strictness, and sandbox support help in selecting a language that mitigates entire classes of vulnerabilities by design.

#3about 13 minutes

Implementing secure input and output handling

Proper input validation, canonicalization, sanitization, and context-sensitive output encoding are crucial for preventing injection attacks.

#4about 5 minutes

Avoiding pitfalls in low-level languages and enforcing access control

Low-level languages require manual bounds checking to prevent buffer overflows, while complete mediation ensures access control is checked on every request.

#5about 8 minutes

Applying cryptography and managing user sessions securely

Use standard, well-vetted cryptographic libraries and follow best practices for session management to protect data and user identity.

#6about 9 minutes

Handling concurrency to prevent data integrity issues

Race conditions can lead to data integrity problems, which can be mitigated using techniques like entity versioning or resource locking.

#7about 12 minutes

Understanding common web and API vulnerability classes

Familiarity with lists like the OWASP Top 10 and CWE Top 25 helps in creating targeted protection strategies for specific vulnerabilities like cross-site scripting.

#8about 5 minutes

Managing third-party software dependencies for security

Automating dependency checks for known vulnerabilities is essential because third-party libraries often constitute the majority of an application's code.

#9about 7 minutes

Integrating security into the software development lifecycle

Using a maturity model like OWASP SAM helps shift security left by incorporating activities like threat modeling early in the design phase.

#10about 19 minutes

Key takeaways and resources for continuous security learning

Cultivate a culture of continuous learning by using resources like OWASP Juice Shop and focusing on understanding the entire technology stack.

Related jobs
Jobs that call for the skills explored in this talk.

Featured Partners

Related Videos

Security Pitfalls for Software Engineers27:32

Security Pitfalls for Software Engineers

Jasmin Azemović

Typed Security: Preventing Vulnerabilities By Design58:19

Typed Security: Preventing Vulnerabilities By Design

Michael Koppmann

You click, you lose: a practical look at VSCode's security29:47

You click, you lose: a practical look at VSCode's security

Thomas Chauchefoin & Paul Gerste

Building Security Champions48:02

Building Security Champions

Tanya Janca

Maturity assessment for technicians or how I learned to love OWASP SAMM1:41:05

Maturity assessment for technicians or how I learned to love OWASP SAMM

Mathias Tausig

Climate vs. Weather: How Do We Sustainably Make Software More Secure?51:41

Climate vs. Weather: How Do We Sustainably Make Software More Secure?

Panel Discussion

You can’t hack what you can’t see29:34

You can’t hack what you can’t see

Reto Kaeser

Programming secure C#/.NET Applications: Dos & Don'ts33:29

Programming secure C#/.NET Applications: Dos & Don'ts

Sebastian Leuer

From learning to earning

Jobs that call for the skills explored in this talk.