In his article, Gary McGraw observes three phases of organizational maturity from a security perspective:
- Organizations that don’t fully understand the security problem
- Organizations that are in a constant “reactive” mode
- Organizations that are integrating security best practices into their SDLC
McGraw goes on to describe best practice items that can help improve the security of software. The following outlines the process that a mature organization might follow to ensure more secure software.
- Perform a code review using static code review and black box testing tools.
- Perform a security architecture review.
- Get penetration testing completed.
- Attack the application like an actual intruder would (“Risk based security testing”).
- Understand the application “Use case” scenarios.
- Understand the application “Abuse cases” - how an attacker might use it in the future.
- Ensure that traditional security measures are in place for the environment (Firewalls, IDS, monitoring, patching).
Even if all of the above aren’t followed, McGraw points out that the most important things to consider would be performing code and architecture reviews. “I think those are the first two that everybody should be doing today. So if you're only going to do two, do those two.”
In closing McGraw mentions that it is important to get the support of both management and the developers to ensure a successful secure development lifecycle. Combining the support of those involved will help to drive more secure applications.
To read the full article in its entirety, see http://searchappsecurity.techtarget.com/qna/0,289202,sid92_gci1187360,00.html.