Experts agree that although absolute application security is nearly impossible, there are key steps you should take to mitigate risk.
Step 1: Define the process
The first step is to define the process you're going to use to develop and measure the security of your software.
Software development has many phases, from requirements gathering through design, development, testing and deployment. You must consider how your existing processes must be augmented in every phase of development to include security, said Ben Chelf, chief technology officer at Coverity, a maker of static source code analysis tools.
"Defining the process includes thinking about coding standards for your developers to avoid potentially dangerous code constructs; thinking about how to design the system in a secure way so that there is no unintended access, even in the case where the code itself is bulletproof; and so on," Chelf said.
Security is not just something you can slap on at the end of the proc??Ãess after the system is put together, Chelf added. That is too late. With a good process in place that spans the entire software development life cycle, you can set up checkpoints to measure and verify that security is being addressed appropriately.
However, there is no single process that works for all organizations.
"The companies that I've seen as the most successful put together a team of security experts to help define the processes and standards for software development that occurs within the entity," Chelf said. "This group should be seen as an enabler, not a -slap on the wrist' to the software development organization."
Eric Bidstrup, Microsoft's group program manager for Security Engineering and Community, Trust??Ãworthy Computing, said it is important to get management support for secure development-no matter what.
"Ensure that you have absolute management support for building secure software, including the ability to halt shipment of a product if it doesn't meet your predefined, approved and documented specifications for secure software development," Bidstrup said.
Indeed, account??Ãability, priorities and buy-in need to be established before progress can be made on application security.
"Application security requires a partner??Ãship between security teams and their development counter??Ãparts," said Mike Weid??Ã??Ãer, director of se??Ã??Ãcurity solutions at IBM Rational. "Organizations need to place a priority on this alongside building new features and meeting deadlines. This applies for internally or externally developed applications.
Third-party developments and offshore com??Ãpanies need to be held accountable for delivering secure code by building this into the legal contracts."
Sebastian Holst, senior vice president of sales and marketing at PreEmptive Solutions, also recommends a de??Ã??Ãtailed inventory of the existing IT environment.
"An organization must have an accurate inventory of what it has developed and deployed and where those applications are being used, for what purposes and by whom," Holst said.
The biggest problems come when organizations wait until the end of development to think about security, Weider added.