Now Available:

line

Featured Resources:

line

Realtime Communities

line

Newsletter

Email Address:


line

Monthly Archives

line

RSS

line

Ask the Expert

Have a question for our resident expert? Email your questions to Rebecca.

« Phisherthieves Like Banks Best | Main | Identity Theft #1 Consumer Fraud Complaint To FTC in 2007 »

New Best Practices Guide For Building Secure Software

Many information security incidents and privacy breaches occur as a result of exploiting vulnerabilities in poorly engineered applications and systems.

It is good to see more articles and information about how to build security into applications from the very inception of a project, and continue it through the entire applications and systems lifecycle.

A new guide worth putting into your applications security library was recently released:

"SAFECode on software assurance: Software Association Forum for Excellence in Code outlines core practices for secure software development"


"The paper identifies and explains security best practices and controls currently used by SAFECode members:

* Security training: A prerequisite to coding secure software is for engineers to be knowledgeable about information security issues affecting users.

* Defining security requirements: Requirements must be defined in the early stages of product development.

* Secure design: The early design phase must identify and address potential threats to the application and ways to reduce those risks.

* Secure coding: The product development team must implement secure programming practices.

* Secure source code handling: The integrity and confidentiality of source code must be protected.

* Security testing: Specialized validation should be implemented to ensure that security requirements, secure design and coding guidelines are followed.

* Security documentation: Documentation for users should help customers understand how to optimally configure security controls, and how configuration options could produce potential security vulnerabilities.

* Security readiness: Prior to releasing a product, the application developer must evaluate, document and assess risks posed by potential security gaps in the product.

* Security response: An incident response mechanism must be in place to relay reports of security vulnerabilities (exploited or not) after the product is released to the product development or sustaining teams for mitigation.

* Integrity verification: Products must offer customers methods to verify that the software they have acquired is from their trusted vendor.

* Security research: Ongoing research should be conducted into new threat vectors and ways to mitigate them.

* Security evangelism: Leaders in the area of software assurance should promote the use of best practices by discussing their practices and findings in open forums, articles, papers and books."

Tags:                    
 Email This!  Digg it!  Sphere it!  Del.icio.us  Reddit!  Newsvine

Posted by Rebecca Herold on February 14, 2008 10:06 AM |

TrackBack

TrackBack URL for this entry:
http://www.realtime-itcompliance.com/type/mt-tb.cgi/660

Post a comment

(All comments are approved by site leader before appearing here. Thanks for commenting!)

Search

line

Most Active Posts

line

Library Resources

line
line

Recent Posts

line

Categories

line

Rebecca Herold's Bio:

Rebecca Herold,CISSP, CIPP, CISM, CISA, FLMI, has been providing information security, privacy and regulatory assistance and services to organizations from a wide range of industries for over 18 years. Rebecca was instrumental in building the information security and privacy program while at Principal Financial Group, which was awarded the CSI Information Security Program of the Year Award in 1998. IT Security ranked Rebecca as one of the top 59 IT security influencers, and Computerworld put Rebecca their list of the 25 top privacy experts and on their list of the 9 best privacy consulting firms. Rebecca has been CPO for two consulting organizations, and has had her own information privacy, security and compliance business since 2004. Rebecca has written chapters for several books, dozens of articles, and has been writing a monthly privacy column for the CSI Alert newsletter since the beginning of 2001, and is working on her 11th book. Some of her other books include The Privacy Papers, Managing an Information Security and Privacy Awareness and Training Program, The Definitive Guide to Security Inside the Perimeter (Realtime Publishers), The Shortcut Guide to Improving IT Service Support through ITIL (Realtime Publishers), and The Practical Guide to HIPAA Privacy and Security Compliance. In addition, Rebecca is the leader of The Realtime IT Compliance Community where she posts to her IT Compliance weblog. You can contact Rebecca at: rebecca_herold@realtimepublishers.net.