The following resources are recommended by Information Assurance (IA) as credible sources of information and learning for those who need to do secure coding.
U-M subscribes to the “Gartner for Technical Professionals” (GTP) online research service, which is available to U-M staff in IT job families. The database contains articles covering a wide array of technology topics, including several on application security, such as Adopt a 'Shift Left' Approach to Testing to Accelerate and Improve Application Development, Approaches for Securing Application Development Environments and Artifacts, and How to Integrate Application Security Testing Into a Software Development Life Cycle.
The Open Web Application Security Project (OWASP) is an online community that produces articles and tools, free to the public, for use in support of web application security. For example, their Secure Coding Practices - Quick Reference Guide “is a technology agnostic set of general software security coding practices, in a comprehensive checklist format, that can be integrated into the development lifecycle.” OWASP is perhaps most known for their Top Ten Project, a regularly-updated awareness document for web application security, describing the most critical security risks to web applications.
Defensive Coding Guide
From the Fedora Project, the Defensive Coding Guide provides guidelines for improving software security through secure coding. It covers common programming languages and libraries, and focuses on concrete recommendations.
Through an agreement between U-M and LinkedIn Learning, benefits-eligible faculty and staff have free access to a range of LinkedIn Learning training videos, including several that address aspects of application security. Suggested titles include:
- Developing Secure Software, with Jungwoo Ryoo
- DevSecOps: Building a Secure Continuous Delivery Pipeline, with James Wickett
- DevSecOps: Automated Security Testing
- DevOps Foundations: DevSecOps
Current U-M students, faculty, and staff are granted unlimited access to O'Reilly Safari Online, which offers a vast collection of books and videos on technology topics. Titles on application security include:
- Security Principles for PHP Applications, by Eric Mann (book)
- PHP Security (video)
- Node Security, by Dominic Barnes (book)
- Node.js Application Security (video)
- Web Security: Common Vulnerabilities And Their Mitigation (video)
- Securing Open Source Libraries (video)
- Secure Coding Rules for Java, Part I, by Robert Seacord (book)
- Secure Coding Rules for Java: Serialization, by Robert C. Seacord (book)
- The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws, 2nd Edition, by Marcus Pinto, Dafydd Stuttard (book)