Since this is my specialty, I figured I'd put my 2cents in on hacker news, and repost it on stack overflow later. So to begin some tools that you should use for testing your code:
Burp tool suite (Pen Testing)
BackTrack Linux Distro (has all kinds of tools, wont go into them, but download and it can be used to really cause havoc on your apps)
These tools allow you point programs towards your application and see if they are vulnerable to any kind of attacks, including XSS and SQL Injection (among a lot of others)
Engineers should also read the OWASP site, which has the OWASP top ten. It also has other tips and tricks about how to secure against different attacks. If you ever have a security question, this site has a lot of secure examples for different code.
As the top comment on stack overflow says, never trust your users. That means never allow your users to do things that you don't want them to. If you allow them to deviate from the structure of your program in any sense, someone will find a way to abuse the privilege. This is the key to good security.
Some Tips I'll give you:
1 ) Validate all input
2 ) Control Access to everything
3 ) Use secure application keys to ensure that people can spoof requests from different browsers
4 ) Use Multi Factor Authentication whenever its possible
5 ) Never ever pass any values from the server that should leave to the client. Even if it is hashed, I can break it using tools. Valuable data = Server side Public Data = Client safe
If you have any other questions, feel free to post them and I'll try my best to answer them or find you an answer.
Information security is a topic that I'm very interested in, but it's such a large area that I don't know even where to start. In this field especially, "learning by doing" seems an extraordinarily bad idea. You say this is your speciality; how did you acquire it? Are there any online courses, good books, or useful (i.e. non-bullshit) certifications that you can recommend?
I acquired it by just doing it over the years I've been programming/engineering. When I was younger I wanted to be a "hacker" (the kind that does malicious stuff and ends up locked in federal prison), so I started using tools like backtrack to see if I could break websites, and it turned out I could. I just read things like OWASP, and I currently work for a security company that specializes in financial institutions (AKA banks, credit unions etc) so I acquire knowledge on the job as well. As for books, I found Security Strategy: From Requirements to Reality to be really good, but I haven't really read too many books on this subject to be honest. Certifications are usually cheap and no good, so I don't recommend those. I recommend learning about communication protocols though because if you understand those, you can figure out attacks that may happen just by knowing how they work. As well, there are applications like Webgoat that allow you to download them and they are full of security flaws so you can kind of learn from that. There are guides to teach you how to hack webgoat out there. The key to great info sec is thinking like a hacker, and you acquire by hacking websites (preferably webgoat/your own).
You can do a lot of learning-by-doing without actually exploiting vulnerabilities, or even doing anything illegal. Especially if you're on a college campus with an interesting computer network, and ubiquitous wireless networks (for relative anonymity). Do port scans (nmap) and explore interesting services you find (with netcat + google), dump DNS entries for campus and grep for interesting words, then do more port scans, etc.
I don't quite understand number 3? Can you elaborate number 3 a bit? How is that being used? Can SSL do the same thing? Or do you mean preventing CSRF kind of attack?
Multi Factor authentication is basically using multiple factors to authenticate a user, like texting a number to the person's cellphone to authenticate them if they are visiting from a IP that is not familiar with the system. Its basically using a second piece of information besides a password to ensure that a user is who they say they are. The sending a text message with a number is a real popular way of doing this. Think as well as a pin and a credit card at an ATM. Sure you have to use your ATM card at the ATM to prove your identity but you also have to use a PIN to add an extra layer of security. This significantly reduces the risk of a breach on someones account.
My previous reply was bad, and for that I apologize. Yes, use application keys for your services/controller to make sure that it indeed an app. This prevents session spoofing and CSRF. Rails does this automatically, so do a lot of other frameworks/languages so it isnt a big deal, but some people use services built on Scala or another language without frameworks, so they tend to be susceptible.
I probably wouldn't recommend training team members on Backtrack. Backtrack is a go-to tool for network penetration testers, but if your concern is the security of your code, you're better served with a license for Burp Suite. Much of what's in Backtrack, including Metasploit, is probably not going to be useful in the "we'll need it every time through the dev cycle" sense.
Wireshark (to analyze traffic coming too and from my website), Metasploit (To make social engineering exploits to make sure my servers arent vulnerable), Mantra Security Framework, Cisco OCS Mass Scanner (For breaking Cisco Routers), SQL Inject, SQL Scanner (Both for finding injection errors). If you master these, you can do a lot of cool things with them. Wireshark is your best friend when things aren't over SSL.
Burp tool suite (Pen Testing) BackTrack Linux Distro (has all kinds of tools, wont go into them, but download and it can be used to really cause havoc on your apps)
These tools allow you point programs towards your application and see if they are vulnerable to any kind of attacks, including XSS and SQL Injection (among a lot of others)
Engineers should also read the OWASP site, which has the OWASP top ten. It also has other tips and tricks about how to secure against different attacks. If you ever have a security question, this site has a lot of secure examples for different code.
As the top comment on stack overflow says, never trust your users. That means never allow your users to do things that you don't want them to. If you allow them to deviate from the structure of your program in any sense, someone will find a way to abuse the privilege. This is the key to good security.
Some Tips I'll give you: 1 ) Validate all input 2 ) Control Access to everything 3 ) Use secure application keys to ensure that people can spoof requests from different browsers 4 ) Use Multi Factor Authentication whenever its possible 5 ) Never ever pass any values from the server that should leave to the client. Even if it is hashed, I can break it using tools. Valuable data = Server side Public Data = Client safe
If you have any other questions, feel free to post them and I'll try my best to answer them or find you an answer.