On this page, we have gathered some resources for development teams to help improve security. We address each assurance technique in turn. Note that we may receive a token commission on referrals.
OWASP have a huge list of tools; G2 and Analysis.dev attempt recommendations;
Thomas Scanlon offered suggestions how to choose.
The UK Industry body for penetration testers, CREST lists its approved suppliers here, including support worldwide.
There is a description of this vital activity here; and detailed instructions in the second DSE workshop materials. Other approaches include anti-personas, attacker stories (Agile Application Security, Ch 7), and Adversary Personas. Another good approach is to use a game format.
Two tools lead the market for testing websites: Detectify and Acunetix. Other tools will be on OWASP's list (though this includes many tools that require professional skills to use).
Checkout Michael Lynch's article on checking reviews here. We have guidelines and resources here. The book Agile Application Security has a chapter.
The activities Product negotiation, Contingency plan, Security champion, Standardisation, and On-the-job training are team-based. For support on them we recommend the resources below.
'Agile Application Security' is the book we wish had been there when we first looked for software security advice. It provides a good introduction on software security for application developers, and to agile software development for security experts, and explores a range of issues. Though it assumes that there are security experts available to work with each development team, is easy to read, and contains invaluable practical advice and some recommendations on practical tools to use.
'Threat Modelling' sets out and achieves to be the definitive guide to threat modelling. Based on the author’s extensive experience at Microsoft, it’s targeted at security experts, and assumes more technical knowledge than many software developers will have; but the writing is approachable to anyone, and this is definitely a book to have on your shelf.
Threat Modeling: Designing for Security, by Adam Shostack. Wiley 2014
The standard online starting point for 'technical security' aspects of code:
Though not specific to software development, this monthly email of links to security-related news stories is one of the most widely-used resources for software developers who want to keep up to date with security issues.
Supported by these, you can have a state-of-the-art knowledge of the best ways to achieve software development security.
May success attend your efforts! And please let us know how you get on, and what might help us improve this work for other readers.