• Use open source static analysis tools to detect use of prohibited libraries or unsafe functions
• Use open source static analysis tools to detect the lack of secure libraries like input filtering
• Use open source static analysis tools to detect C/C++ memory errors
• Use commercial web application scanning tools and filter results to provide relevance
• Use commercial source code scanning tools and filter results to provide relevance
• Use commercial binary analysis tools and filter results to provide relevance

• Analysis of current Threat Modeling Processes
• Analysis of current Secure Development Guidelines
• Analysis of current negative QA testing in development and QA organizations
• Analysis of current Developer Training Initiatives
• Recommendations for Automated Application & Source Code Testing

The "iSEC SecureWeb Framework"

Pre-created J2EE classes that provide the basis for providing web security services:

• Input validation classes with common pre-defined types (safe HTML, SSN, credit cards, etc.)
• XSRF protection framework, including a token generator and a simple interface to query the “action state” of the client
• Output validation framework, perhaps implemented as a servlet or tied to a compositing engine
• Secure data-access-layer class, which can wrap JDBC and guarantee prevention of SQL Injection
• Security anomaly framework. A simple framework that can be tuned by the end customer, that collects data and makes it easy to create business rules that detect fraud, such as a single user logging in from multiple geographical locations within a certain period of time.

• Improving Software Security through Life Cycle Changes
• Web Application Security QA Testing
• Application Security Best Practices
• Penetration Testing & Binary Analysis
• Windows Vista Security for Developers

Use valid test data to inject random data into the following input fields:

• Event driven inputs. Usually from a graphical user interface, or possibly from a mechanism in an embedded system.
• Character driven inputs. Files or data streams such as sockets.
• Database inputs. Tabular data, such as relational databases.
• Inherited program state such as environment variables

• Standards/procedures/and examples that drive security into engineering and QA
• Specific guidelines for avoiding problems found during penetration testing and previous assessments
• Standards for measuring applications against the new Secure Development Guidelines

• Standards/procedures/and examples that drive security into engineering and QA
• Specific guidelines for avoiding problems found during penetration testing and previous assessments
• Standards for measuring applications against the new Secure Development Guidelines