Re: Development team building

[Yousef Syed <yousef.syed () gmail com>]

Hi Cris,
1. You need requirements that stipulate the Security and Quality
aspects of the project; or a team wide policy statement for all
development that stipulates the Security needs.
2. Involve Penetration Testers to cover your security issues.
3. Employ a "Test-First"/"Test-Driven" approach. Test cases need to be
broadened to include security concerns such as XSS or HTML/SQL
injections or Buffer Overflows etc.
4. Unit tests should cover valid, invalid, nulls, boundary conditions
and XSS/SQL injections.

To cover your issue with deliberate bad design/code, then that would
be covered by:
1. Design/Coding standards
2. Regular Design/Code Review sessions (weekly).
3. A robust and patterns based architecture that means that it is
clear both where and how data can be accessed/modified. A rogue
designer would be forced to write their nefarious code in the
presentation, business and data access layers; not to mention the
database stored procedures... Or it would be an ugly bit of code in
only one layer - either way, if your code reviews don't catch it, then
your problems are with an incompetent team lead...

Other things like regular build testing, good automated build scripts
(ant + cruise control), Source control systems etc should also be in
place.

ys

--
Yousef Syed
CISSP

http://www.linkedin.com/in/musashi


On 27 February 2010 22:18, Cris <cryptogrid () gmail com> wrote:
> Hello all, I'd want to know if anyone has any recommendation or
> book/article reference about roles conflicts from information security
> point of view and any other security related consideration in the
> construction of a new development team for a critical application.
> Roughly, team roles would be:
>
> PM
> Leader
> Analysts
> Architects
> Developers
> Testers
>
> I'm aware of the traditional conflicts of interest between roles, like
> for example, a developer shoudn't participate in the project as tester
> testing his own code, but I'm interested on information security
> considerations. For example, How to avoid intentional security
> problems in the design of the application or in the analysis phase?
>
> Regards,
> Cris,
>
> ------------------------------------------------------------------------
> Securing Apache Web Server with thawte Digital Certificate
> In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, 
> how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, 
> purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for 
> set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital 
> certificates.
>
> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
> ------------------------------------------------------------------------

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------