Due to the requirement in my department (VIP/Automattic), I’ve had a chance to work through a few security training courses on whitehatsec.com. This post is more a concise summary for what I’ve got from them.
These are the courses I’ve finished:
- OWASP Top Ten for Developers
- Defensive Enterprise Remediation Series
- Integrating Security Throughout the SDLC
- Threat Modeling
The first three courses are more practical for developers with exploitation examples and solutions. The last two ones are more about procedure, strategy, and planning.
Some common ideas include:
- Do not trust data provided by users.
- Always sanitize and escape data.
- Always start with the mindset that our code can be hacked at any point/level. For example, some people think a firewall is enough to block all malicious requests. However, that’s not true. Firewall can only block requests at the packet/network level, it can not know whether or not data is safe for your application layer.
In case, you’d like to enhance your knowledge of your specific platform and languages, I think you may still want to look at their security guides and training. We can try fixing security on our own, however, it’s always better to use methods/libraries that have been proved effectively to prevent security.
For WordPress, these are good resources:
The two last courses provide some ideas and tools to execute security in your organization
I found them quite overlapping each other but it’s still good to learn. These two courses are totally new to me. Generally, to implement security procedures into your Software Development Life Cycle (SDLC) and organizations, you need to a formal checklist and model to assess, detect, and qualify potential security issues.
Also, it’s good to have a read for OWASP Software Assurance Maturity Model (SAMM)
Finally, at any organization, I think the most important thing is still about leaders’ mindset regarding the security issue. Without a correct mindset and understanding its importance, any theory can not be executed properly.
Some quicklinks and keywords
- SAST (Static application security testing)
- DAST (Dynamic application security testing)
- Thread Modeling
- Rainbow attacks