A Development Process Model for More Secure Applications

You hear about security all the time but have you and your team been designing your applications with security in mind. I found this web-cast, “5 Steps for Developing Secure Applications,” from ITworld.com dated January 12, 2006 provides a good overview roadmap for IT managers:

A synopsis of the web-cast’s main themes follow:
Essentially 75% of security hacks occur at the application level however application security dealt with throughout the whole development lifecycle has not traditionally been a priority of developers. A key is for developers to think about application security as a defect and use the same processes that are used to find other defects. A good rationale is that hackers will not tell you about security defects like the way customers typically talk about other application defects. So developers need to track security vulnerabilities as defects and Operations needs to assess the risk of known defects. Moreover, QA must include security testing; applications must meet legislation requirements and not be susceptible to litigation. And applications must meet internal and external [partner] auditing requirements.

5 steps for Developing Secure New Applications include:
1) Assess business risk: legal, lost revenue, lost productivity, damage to brand, internal apps data exposure
2) Start with architecture: training for threats model, minimize damage
3) Code securely
4) Test early, test often
5) Validate for security: think like a hacker, focus on mal-formed data

3 steps for Assessing the Security of Existing Applications:
1) Assess vulnerabilities
2) Business risk assessment
3) Fix critical defects first

Thank you,
Stephen Ibaraki

Comments (0)

Skip to main content