- Training
- Training Live Events
- Training Without Travel
- Security Courses
- Security Curricula
- Certified Instructors
- Training Calendars
- SANS vLive!
- SANS OnDemand
- Community SANS
- SANS Mentor Program
- Coins
- SANS Onsite
- SANS SelfStudy
- SANS Summit Series
- SANS Partnership Series
- Webcasts
- Work Study
- Events Archive
- DoD 8570
- Voucher Credit Program
- group discounts
- Certification
- Resources
- List of Resources
- Top Security Risks
- Top 25 Programming Errors
- 20 Coolest Jobs
- Application Security Procurement Language
- Top 10 Security Trends
- Top 5 Essential Log Reports
- Reading Room
- Webcasts
- AudioCasts
- WhatWorks
- Newsletters
- RSS Feeds
- Calendar Feeds
- Security Thought Leaders
- Security Policy Project
- Security+ Study Guide
- SANS Buyers Guide
- Security Tool Demos
- 2008 Salary Survey
- Vendor
- Portal
- Storm Center
- College
- Developer
- About
The most trusted source for computer security training, certification and research.
Internet Security Tools for Defense In-Depth
- WhatWorks Home
- WhatWorks Poster: Top 35 Secure Development Techniques
- WALL 1: Proactive Software Assurance
- WALL 2: Blocking Attacks: Network Based
- WALL 3: Blocking Attacks: Host Based
- WALL 4: Eliminating Security Vulnerabilities
- WALL 5: Safely Supporting Authorized Users
- WALL 6: Tools to Manage Security and Maximize Effectiveness
I learned more here in six days than I could in a year in terms of breadth of knowledge.
-Stephen Yuhas, TESSCO Technologies
Check Them Out!
The vendor-neutral instructional approach goes a long way in providing a broad base of information without bias.
-Keith Rice, Bank of America
Defensive Wall 1: Summary
The single most effective step in thwarting attacks is to design applications and develop code with fewer security flaws and stronger security features. There are a number of mature security tools that can find vulnerabilities in software and greatly reduce the time spent mitigating those weaknesses.
Defensive Wall 1: Proactive Software Assurance
1.1 Source Code and Binary Code Testing Tools and Services
These tools search through code with the goal of finding potential vulnerabilities and other security weaknesses. Since they don?t require a complete software system, these tools can be used to test code during development or integration.
Compliance Mandates: PCI/DSS 6.3.6, 6.3.7, 6.6, SOX A12.8, GLBA 16CFR Part 314.4(b) and (2); FISMA RA-5, SC-18, SA-11 SI-2, and ISO 27001/27002 (12.4.1, 12.4.3, 12.5)
Tools:
Ounce Labs: Ounce 6
Fortify 360
Veracode Code Auditing Services
HP WebDevinspect
1.2 Application Security Scanners (Black Box Scanners)
These tools detect common programming errors in Web-based applications. While tools should be part of the solution, skilled humans are the key to finding lower level vulnerabilities that more targeted attacks will exploit.
Compliance Mandates: PCI/DSS 6.3, SOX A12.4, GLBA 16 CFR 314.4(b) and (2), HIPAA 164.308(a)(1)(i), FISMA RA-5, SA-11, SI-2, ISO 27001/27002 12.6, 15.2.2
Tools:
HP WebInspect
Acunetix: Web Vulnerability Scanner
Rapid7: NexPoste
HP: Webinspect
IBM: Rational AppScan
Nikto/Wikto (Free)
Paros (Free)
WebScarab (Free)
1.3 Application Security Skills Assessment & Certification
Application security managers can ensure that programmers are able to identify and eliminate common security flaws from code by using assessment tools and having outsourced programmers prove their knowledge through certification.
Compliance Mandates: PCI/DSS 6.3.7, SOX A12.7, A12.8, DS7, HIPAA 164.308(a)(3), FISMA SA-11 and SI-2, ISO 27001/27002 6.1.8, 8.2.1, 8.2.2
Assessment of Secure Coding Skills through online measurement in Java, C, and .NET (SANS GSSP Assessments)
Certification of Secure Coding Skills in Java, C, and .NET (SANS GSSP Certifications)
- © 2000-2010 The SANS™ Institute
- Web Privacy Policy | Web Contact |
- Press Room | Trademark Usage Policy