Notes to Application Security awareness training in line with OWASP SAMM initial development team education effort according to Education and Guidance practice.

appsec_awareness_training_day2.md

Review OWASP Top 10 appsec risks

• https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
• https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf

Security Maxims overview

• https://www.techrepublic.com/blog/it-security/it-security-maxims-for-the-ages/

Security Engineering principles overview.

• Least Privilege
• Fail-Safe Defaults
• Economy of Mechanism
• Complete Mediation
• Open Design
• Separation of Privilege
• Least Common Mechanism
• Psychological Acceptability
• Defense in Depth
• Secure Weakest Link First

Ross Anderson's Security Engineering book

• https://www.cl.cam.ac.uk/~rja14/book.html

Garry McGraws' 10 software security principles

• http://www.zdnet.com/article/gary-mcgraw-10-steps-to-secure-software/

Walk through the flagship OWASP projects

• ASVS: https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project
• Testing Guide: https://www.owasp.org/index.php/OWASP_Testing_Project
• ZAP: https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
• SonarQube: https://www.sonarqube.org

Practice (preparation for day 3): demonstrate the workflow of security penetration testing – discover, verify, and remediate a vulnerability.