Development Environment, Tools, and Build Environment
The environments and tools we work with are essential for the project, and it is important that we have control over which tools are used and how they are configured.
Develop
It's not possible to provide a recipe on how to write secure code in a few simple and concise articles. However, it doesn't mean it's an insurmountable task reserved only for security experts! Everyone developing software at Bouvet should be familiar with OWASP Top 10, which is a good starting point to understand the challenges faced by developers.
The articles you find under the topic Utvikle on this page will focus on what happens on a developer's workstation, apart from actual code. They won't delve into specific attack methods or how to defend against them. You will also find advice on how a team should work to prevent, identify, and fix vulnerable code.
Secrets
All development projects require secrets such as connection strings, identities, passwords, certificates, and much more. These must be stored securely, and we must ensure that we use them in a secure context with the right support tools and processes.
Data Validation
Data is an attack vector; you should never blindly trust that it is safe, regardless of the source. This also applies when retrieving data from other systems!
Security Practices
There is much to consider when building a secure solution, and an important starting point is the OWASP Top 10.
Software Supply Chain
Everyone who develops software uses third-party packages. All third-party packages represent code written by others and pose a risk to the delivery if we do not have control over what we use and an overview of weaknesses and risks associated with them.
Documentation
All development projects must be documented. This is not only important for the continuity of the project but also for documenting security-related measures and any incidents.
Internal Components
If the team relies on internal components such as servers, applications, or other assets managed by the team itself, there must be a routine for keeping these updated.
Security Testing
In line with other elements associated with team quality, we depend on testing to verify that we have achieved the goal. Security testing is an important part of this, as it allows us to demonstrate that the delivery is not vulnerable to certain attack methods.