10 Best Practices for Secure Software Development
As a secure software lifecycle professional (SSLP), you must...
- Protect the Brand Your Customers Trust. Security breaches diminish customer confidence in your brand. At all times, keep in mind that your organization has an obligation to protect itself and its customers from cybercriminals.
- Know Your Business and Support it with Secure Solutions. Technical knowledge is not enough. To identify potential security risks, regulatory requirements, and training needs, you need to know your business inside and out.
- Understand the Technology of the Software. Whether building software in-house or buying software from a vendor, you must understand the technology underlying both the software and the existing infrastructure to be sure they are integrated securely.
- Ensure Compliance to Governance, Regulations, and Privacy. You must have a thorough and up-to-date understanding of the internal and external policies that govern the business.
- Know the Basic Tenets of Software Security. You must be familiar with the basics of software security: confidentiality, integrity, availability, authentication, authorization, auditing, and the management of configuration, sessions, and exceptions. For example, encryption can help to maintain confidentiality, while proper load-balancing can ensure availability.
- Ensure the Protection of Sensitive Information. Sensitive information is any information that is of measurable value to your organization. Sensitive information must be correctly classified so it can be properly controlled and secured.
- Design Software with Secure Features. Many software security problems are not code-related, but are introduced during the design stage. When designing the software, use threat models and abuse case modeling to identify security threats.
- Develop Software with Secure Features. The security controls you design must be implemented properly. Perform security code reviews and security testing.
- Deploy Software with Secure Features. Stay on top of change management, making sure the test environment always reflects the production environment. Prevent regenerative bugs by managing software releases correctly. Perform vulnerability and penetration testing before deploying new software.
- Educate Yourself and Others on How to Build Secure Software. These days, the norm for software development is "release and patch": an unsatisfactory approach. A cultural change is needed, and that can only happen when people are educated about the importance of security.