“Keeping security in mind” when coding is not enough to ensure that secure code is produced; it must be an organizational priority, an official part of your SDLC, and developers must be supported with the appropriate training, time, and resources. This chapter will provide more secure coding guidance, which can be adopted as a standard or guideline for your organization, if you do not already have one.

If you decide to adopt information from this and previous chapters for your organization, it is critical that you “socialize” the information. Hold consultations, have lunch and learns, create posters, design infographics, put it in your intranet web page or wiki, email it to people, and most importantly, answer any and every question anyone has about the information. If you want people to adopt more secure practices, you need to ensure that you support them in every way possible.

Selecting Your Framework and Programming Language

Quite often we work in an environment where our programming language and/or framework is already chosen for us. We work in a “Dot Net Shop” or a “Java Shop,” and it is unlikely anyone will be making any big changes in the near future. That said, you may have more flexibility and influence than you realize. Let's see what Alice and Bob have to say about this.

Alice isn't a techie, but she is a high-powered executive. When her IT department told her they wanted to slowly migrate all of their apps over from the Java Struts framework ...