Development teams can use these steps to address security concerns and minimize disruptions to project release commitments.
Denim Group, an IT consultancy that develops secure software and helps organizations assess and mitigate risk with their existing software, provides guidance to software development teams looking to collaborate better with security teams.
Software development teams are constantly under pressure to release new software products on a timely basis. While security requirements are acknowledged as important, features and functionality are typically at the top of the priority list for new releases. Given the increase in application level attacks, inclusion of security requirements will be a constant facet of software development efforts in the future.
The following list represents best practices Denim Group has observed in client environments where software development teams collaborate effectively with security teams:
- Have at least one developer on the team who is able to speak in depth about security. Hire someone specifically for this purpose, or grow someone within the team.
- Run all developers through some form of security awareness training.
- Make a list of your applications with some of their characteristics, and share this list with your security team.
- Use one of the freely available web proxies or application scanners to test one or two of your applications.
- Download an easily attainable source code scanning tool, and run it against your code.
- Benchmark your team against a software security maturity model, such as OpenSAMM.
- Reach out to your security team with the results of your initial efforts. Take the initiative in order to encourage activity on your schedule.
- Move any vulnerabilities that have been identified into your defect tracking system so they can be prioritized and systematically addressed.
- Fix some of the vulnerabilities identified in your applications. Prove you are taking security seriously by picking a handful of the most critical vulnerabilities and fixing them.
- Ask for input from the security team at the beginning of a new project or development effort.
Follow these steps to get your development team on the right track to addressing security concerns. For further analysis, the detailed list of best practices with descriptions can be found at the Denim Group blog at: http://tinyurl.com/3xefvh2.
“Security requirements for software projects are becoming a more consistent reality for development teams,” said Dan Cornell, Chief Technology Officer of Denim Group. “Proactively opening lines of communication between software developers and information security professionals will help ensure vulnerabilities are identified and fixed more quickly. This will help avoid business disruption and ultimately save organizations time and money.”
About Denim Group
Denim Group develops secure software, helps organizations assess and mitigate risk with existing software, and provides training on best practices in software security. Denim Group has worked with a range of Fortune 500 companies and public sector organizations, bringing a focused software development approach to the world of software security. Denim Group is a strong contributor to the larger application security community, and has been involved with the Open Web Application Security Project (OWASP) since shortly after its inception. Additionally, Denim Group was ranked 1,751 in Inc. Magazine’s 5000 Fastest-Growing Private Companies in America in 2009. For more information about Denim Group, visit www.denimgroup.com.