Developing secure software is critical to a company's reputation and bottom line. The impact of a software malfunction or security breech can result in a massive recall, millions in lost revenue, the loss of sensitive customer data, and a headline in the Wall Street Journal. With the ubiquity of software in everything from automobiles to investment trading applications more companies than ever are feeling the legal and financial pressure to assure the security of their code. Faced with having to maintain software quality and security while accelerating innovation, companies with institutionalized, standard code development processes are looking for new ways to further reduce overall program risk. Traditionally, companies would perform security testing near the end of the software development lifecycle, prior to product release but that process can put release schedules at risk and late found defects cost more to address. To more effectively address security, some of these companies are now adopting secure development lifecycle initiatives where security deliverables are inserted in all phases of development. As a result, companies are finding that the benefits of fewer security incidents, faster time to remediate and fewer audit deficiencies far outweigh the costs of implementing these initiatives.
So, are secure development lifecycle initiatives merely academic, or can they truly serve as practical guidelines? Are they within the reach of any but the largest companies?
This white paper outlines a practical approach to implementing secure practices into the software development lifecycle. And it is only through bringing in security "from around the edges" and pushing past the traditional operation view of security by bringing into all phases of development that you can begin to build software systems that can stand up under attack.