- Read on security related to the technologies you'll be using for producing the final information system being developed (i.e. the solution):
- C++, C, Java, ... - there are full books on the security topic
- JEE, .Net and other enterprise application frameworks
- RDBMS and other entity persistence means
- Other common core system components like...
- App. Servers (JBoss and the like)
- Web Servers (Apache, IIS and the like)
- Operating Systems
- Anything else (that your system reuses: drivers, hardware, ...).
- Make sure everything above is patched (regularly) and that whatever you program (and configure) is secure in the light of what you (regularly) read.
Remember to:
- Subscribe newsletters on the topic (of follow the proper newfeeds / groups) to help you keeping updated
- Use the proper frameworks for helping you on security as a process, for example:
The OWASP Application Security Verification Standard (ASVS) Project provides a basis for testing web application technical security controls and also provides developers with a list of requirements for secure development.
- Use the proper tools to help you (executing security assessments) before release. Raise all relevant [code] issues found.
- Reuse the invaluable resources (with guidelines and concrete checklists for specific technologies) like the following (take your time exploring them properly and use whatever suits you):
The bottom line: - Reuse the invaluable resources (with guidelines and concrete checklists for specific technologies) like the following (take your time exploring them properly and use whatever suits you):
Security is a process: You change a line of code (or a system component) and you could have changed the security characteristics of your system as a whole. Remember that a system is as strong as its weakest link (and you don't want to have been working on that weakest part).
(@2016-11-15: minor rephrases, formatting)
