Consider this as a very basic step by step guide to getting started with application security practice for your organisation. We begin by looking at an overall framework and pick the Microsoft SDL which is the gold standard for building applications in enterprises. Once we have the overall framework defined we can look at web and mobile application specific resources for guidance and benchmarking against.
STEP 1 - Get introduced to Microsoft Security Development Lifecycle
STEP 2 - Get familiar with OWASP Application Security Verification Standard
OWASP is a global body for application security research. The OWASP Application Security Verification Standard (ASVS) Project provides a basis for testing web application technical security controls.
The standard provides a basis for testing application technical security controls, as well as any technical security controls in the environment, that are relied on to protect against vulnerabilities such as Cross-Site Scripting (XSS) and SQL injection. This standard can be used to establish a level of confidence in the security of Web applications. The requirements were developed with the following objectives in mind:
- Use as a metric - Provide application developers and application owners with a yardstick with which to assess the degree of trust that can be placed in their Web applications,
- Use as guidance - Provide guidance to security control developers as to what to build into security controls in order to satisfy application security requirements, and
- Use during procurement - Provide a basis for specifying application security verification requirements in contracts.
Some of the text from OWAPS ASVS web page
STEP 3 - Test against OWASP Top 10 and then later against OWASP Testing Guide
Use the following two documents to test for application security vulnerabilities in your web and mobile applications.
Cheat a bit with OWASP Cheatsheets
Sometimes, there is no time to complete full fledged testing. At times like these the following OWASP cheatsheets might be useful to peruse.
The OWASP Cheat Sheet Series was created to provide a concise collection of high value information on specific web application security topics. These cheat sheets were created by various application security professionals who have expertise in specific topics. text from https://www.owasp.org/index.php/OWASP_Cheat_Sheet_Series#tab=Main
Full list Master Cheat Sheet
STEP 4 - Aim for covering TOP 20 Critical Security Controls for your network
The Critical Security Controls focuses first on prioritizing security functions that are effective against the latest Advanced Targeted Threats, with a strong emphasis on “What Works” - security controls where products, processes, architectures and services are in use that have demonstrated real world effectiveness.