Many information security incidents and privacy breaches occur as a result of exploiting vulnerabilities in poorly engineered applications and systems.
It is good to see more articles and information about how to build security into applications from the very inception of a project, and continue it through the entire applications and systems lifecycle.
A new guide worth putting into your applications security library was recently released:
“SAFECode on software assurance: Software Association Forum for Excellence in Code outlines core practices for secure software development”
“The paper identifies and explains security best practices and controls currently used by SAFECode members:
* Security training: A prerequisite to coding secure software is for engineers to be knowledgeable about information security issues affecting users.
* Defining security requirements: Requirements must be defined in the early stages of product development.
* Secure design: The early design phase must identify and address potential threats to the application and ways to reduce those risks.
* Secure coding: The product development team must implement secure programming practices.
* Secure source code handling: The integrity and confidentiality of source code must be protected.
* Security testing: Specialized validation should be implemented to ensure that security requirements, secure design and coding guidelines are followed.
* Security documentation: Documentation for users should help customers understand how to optimally configure security controls, and how configuration options could produce potential security vulnerabilities.
* Security readiness: Prior to releasing a product, the application developer must evaluate, document and assess risks posed by potential security gaps in the product.
* Security response: An incident response mechanism must be in place to relay reports of security vulnerabilities (exploited or not) after the product is released to the product development or sustaining teams for mitigation.
* Integrity verification: Products must offer customers methods to verify that the software they have acquired is from their trusted vendor.
* Security research: Ongoing research should be conducted into new threat vectors and ways to mitigate them.
* Security evangelism: Leaders in the area of software assurance should promote the use of best practices by discussing their practices and findings in open forums, articles, papers and books.”
Tags: application security, awareness and training, Information Security, IT compliance, policies and procedures, risk management, safecode, security awareness, security training, software security