How and where to begin on the Return of Web Application Security Investment?

Question

While there is a vast trove of vulnerabilties, threats and their corresponding countermeasures, the amount of information on Infosec Economics (Specifically for web applications) seems scarce.

What are the resources and tools that I should look into to make implementation of a Secure Software Development process or even Threat Modeling exerise, measurable? The existing resources focus heavily on network security so something specific to application security practices such as the list below is what I'm looking for:

1. Threat Modeling
2. Code Review
3. Penetration Testing
4. Secure Development
5. Implementing Counter-Measures
6. Counter-Measures costs vs Breach Costs

Answer 1

Look at the Microsoft Security Development Lifecycle. This is one of the seminal and best-in-breed approaches to secure software development, and Microsoft has generously provided a great deal of material, resources, and tools to support the lifecycle.

Also, take a look at the Building Security In Maturity Model (BSIMM). BSIMM doesn't tell you how you should do secure software development. Instead, it provides a way to measure the maturity of your software development processes on a dozen different dimensions. The great thing about BSIMM is that it has been applied to dozens of other companies, and data is available about where other companies rate, so you can compare yourself to other companies in your industry sector to see how you are doing.

If you want material specific to web security, you might start with OWASP. They have many resources, tools, and documents on web security.

There are many other resources out there, but I think you'll find these a great start.