Security should be built into your system from the start, and should be a part of a system’s specification and functional requirements. This may be a struggle — customers or project managers may assume that security is inherent in a system. They may balk at having it written down and taken into account during development — after all, the more that is written down, the more the software may cost and the longer it may take. However, the assumption that security does not need to be specifi ed is a huge risk. When security is not explicitly part of the software requirements, it may never get considered. Microsoft itself has made great advances in recent years in developing secure code by changing its approach and embracing the Security Development Lifecycle (SDL), which highlighted the need to integrate security into the software development lifecycle. The SDL consists of seven steps:
1. Gather security requirements.
2. Secure the design.
3. Incorporate threat modeling.
4. Perform code reviews.
5. Perform penetration tests.
6. Secure the deployment of the application.
7. Integrate feedback into the next iteration of the development cycle.
Sunday, April 3, 2011
Subscribe to:
Post Comments (Atom)
Subscribe to email feed
