OWASP Security Knowledge Framework

In this talk (embedded below), brothers Glenn ten Cate and Riccardo ten Cate identify issues in current secure coding practices. They show how to use the Open Web Application Security Project’s security knowledge framework to build apps that are secure by design.

Secure Software Development Life Cycle (SSDLC)

DevOps is more achievable than ever, with plenty of available materials on what it is and how to get started with it. But how should you incorporate security into it? This is the challenge of DevSecOps and the subject of a talk by Glenn and Riccardo.

The secure software development life cycle is a method to help web and app developers establish best practices at each stage of product development. What are the parts of this method, and why does it make sense to use it?


An SSDLC relies on four parts:

  1. Security requirements
  2. Test automation and code quality checks
  3. Security test automation
  4. Manual verification

Let’s talk about each of these in turn.

Security Requirements

It’s critical that you gather security requirements before starting work. Otherwise, you’ll miss requirements and struggle to secure your application at the end.

Test Automation and Code Quality Checks

Dead end code, overly complex code, and repudiated code each present potential vulnerabilities. Automation makes finding these easier than doing so by hand.

Security Test Automation

Security test automation is common in DevOps processes and comes in two flavors: static analyzers (SAST) look at source code, and dynamic analyzers (DAST) inspect a running application. That said, they detect only about 20% of the 280 controls in the OWASP application security verification system.

In addition, these analyzers present two more challenges beyond struggling to find vulnerabilities. First, you must verify all findings manually. Second, running the analyzers requires architecture considerations such as containers to run the applications, plus (Read more...)

*** This is a Security Bloggers Network syndicated blog from Sonatype Blog authored by Daniel Longest. Read the original post at: