Recommendation and References

Additional General Practices and Resources

• Clearly define roles and responsibilities

• Provide development teams with adequate software security training

• Implement a secure software development lifecycle: OWASP CLASP Project

• Establish secure coding standards: OWASP Development Guide Project

• Build a re-usable object library: OWASP Enterprise Security API (ESAPI) Project

• Verify the effectiveness of security controls: OWASP Application Security Verification Standard (ASVS) Project)

• Establish secure outsourced development practices including defining security requirements and verification methodologies in both the request for proposal (RFP) and contract. OWASP Legal Project

External References

• Refer Secure Coding Guidelines for Java SE from Oracle
• Common Weakness Enumeration (CWE)
• SQL Injection Cheat Sheet
• Cross Site Scripting (XSS) Cheat Sheet
• Sans and TippingPoint "The Top Cyber Security Risks"
• Web Application Security Consortium
• Department of Homeland Security - Build Security in Portal
• CERT Secure Coding
• MSDN Security Developer Center
• Secure Coding Guidelines for Java SE

Security Advisory Sites to check for known vulnerabilities against supporting infrastructure and frameworks

• Secunia Citrix Vulnerability List
• Security Focus Vulnerability Search
• Open Source Vulnerability Database (OSVDB)
• Common Vulnerability Enumeration