The Paragon Initiative blog has posted a gentle introduction to application security for those new to some of the ideas of secure code and wanting to learn more.
If you are a web developer (or are thinking about teaching yourself web programming), you probably don't think of yourself as a security engineer, or a white-hat/blue-team member of an information security assurance team. You might have considered security threats in the context of quality assurance before (e.g. validating input), but perhaps you're no expert on the subject. But the second your code is deployed in production, your code is the front line of defense for that entire system and quite possibly the entire network. Logically, that means the software you produce must be made reasonably secure.[...] This might seem like a lot of pressure. [...] I'm not going to say you need to become an application security expert. That very notion betrays the (largely untapped) potential for rich diversity in the technology communities. But I will say this: Application Security is Every Developer's Responsibility
They remind developers that there's a lot more than just 10 types of vulnerabilities (or even 25) and proposes a new model for thinking of security weaknesses in your applications. He outlines five points for assessing the security of your apps, not just common vulnerabilities to fix:
- Failure to Separate Data from Instructions
- Unsound Application Logic
- Your Application's Operating Environment
- Cryptographic Weaknesses
The fifth is a catch-all "miscellaneous" category that would contain things that are either crossing the boundaries of the other categories or are just each in their own category. He suggests we move on to a "more secure tomorrow", evaluate our applications along these criteria.