Monitor the process
"The reality is that even if your application fails 99.9999 percent of the time in a secure way, some hacker out there likely will uncover that one-in-a-million failure mode to exploit your application," he said. "And that is very difficult to test for." However, vigorous testing must be done nonetheless, say experts.Moreover, Weider said, there have been some incredible advancements in the quality of security-testing tools in the last several years. "Used in conjunction with good process and training, tools can significantly reduce the cost and time required for security testing," he said. Step 5: Monitor the process. Lastly, compliance with security policies should be monitored on an ongoing basis. "Monitor compliance to security policies using an automated infrastructure," Parasoft's Kolawa said. "At a scheduled time each night, the automated infrastructure should retrieve the latest code modifications from source control and determine whether that code complies with the security policy. If a problem is found, the developer who introduced it should be notified within his or her IDE [integrated development environment] to promote fast remediation." This step also includes security code reviews and maintaining security vigilance as applications move into production. "No development project, no matter how well-designed or executed, will remain 100 percent secure 100 percent of the time if left to its own devices," said Andrew Zaikin, a security expert and project director at outsourcing specialist Exigen Services. "Watch production, read production logs as they are being developed, and stay involved on a consistent and continual basis," Zaikin said.
"Components of an application need to be tested separately and also again together," Weider said. "A part of an application could be secure on its own, but when code created by another person [is introduced], a new security vulnerability could be created. Security can never be taken for granted."