Security should be top of mind before, during and after the development process.
Experts agree that although absolute application security is nearly
impossible, there are key steps you should take to mitigate risk.
Step 1: Define the process
The first step is to define the process you're going to use to develop and measure the security of your software.
Software development has many phases, from requirements gathering
through design, development, testing and deployment. You must consider
how your existing processes must be augmented in every phase of
development to include security, said Ben Chelf, chief technology
officer at Coverity, a maker of static source code analysis tools.
"Defining the process includes thinking about coding standards for
your developers to avoid potentially dangerous code constructs;
thinking about how to design the system in a secure way so that there
is no unintended access, even in the case where the code itself is
bulletproof; and so on," Chelf said.
Security is not just something you can slap on at the end of the
proc??Ãess after the system is put together, Chelf added. That is too
late. With a good process in place that spans the entire software
development life cycle, you can set up checkpoints to measure and
verify that security is being addressed appropriately.
However, there is no single process that works for all organizations.
"The companies that I've seen as the most successful put together a
team of security experts to help define the processes and standards for
software development that occurs within the entity," Chelf said. "This
group should be seen as an enabler, not a -slap on the wrist' to the
software development organization."
Eric Bidstrup, Microsoft's group program manager for Security
Engineering and Community, Trust??Ãworthy Computing, said it is important
to get management support for secure development-no matter what.
"Ensure that you have absolute management support for building
secure software, including the ability to halt shipment of a product if
it doesn't meet your predefined, approved and documented specifications
for secure software development," Bidstrup said.
Indeed, account??Ãability, priorities and buy-in need to be established before progress can be made on application security.
"Application security requires a partner??Ãship between security teams
and their development counter??Ãparts," said Mike Weid??Ã??Ãer, director of
se??Ã??Ãcurity solutions at IBM Rational. "Organizations need to place a
priority on this alongside building new features and meeting deadlines.
This applies for internally or externally developed applications.
Third-party developments and offshore com??Ãpanies need to be held
accountable for delivering secure code by building this into the legal
Sebastian Holst, senior vice president of sales and marketing at
PreEmptive Solutions, also recommends a de??Ã??Ãtailed inventory of the
existing IT environment.
"An organization must have an accurate inventory of what it has
developed and deployed and where those applications are being used, for
what purposes and by whom," Holst said.
The biggest problems come when organizations wait until the end of development to think about security, Weider added.