Developing secure applications

So you are a small company that develops software, and your customers are becoming more paranoid about the security of your code. With companies being held responsible for their sloppy coding practices, no more "As long as it works, that's all you need". One of the first instances I saw of this was the "The Trustworthy Computing Security Development Lifecycle" developed by Microsoft.


"Security development lifecycle (SDL)
Microsoft designed SDL to ensure that the development of software is as secure as possible.

The process is made up of a series of security-focused activities and targets for each of the phases of Microsoft's software development process.

These include the development of threat models during software design, the use of static analysis code-scanning tools during implementation, and the conduct of code reviews and security testing.

Before software can be released, it must undergo a final security review by a team independent from its development group."

Microsoft used this methodology in order to develop the Vista Operating System. Microsoft claims from implementing this methodology Vista has had fewer first-year vulnerabilities then Windows XP, Red Hat, Mac OSX, etc... Now Microsoft does release this methodology free for anyone to use and they are implementing this in their development tools. You can read all about on the SDL website linked to above.

Another checklist I have found useful for software developers is the Application and Development Checklist developed by the Defense Information Systems Agency. I find this an easy to use checklist to show software buyers that any software being developed is going through a strict security engineering process to ensure security is not an after thought.

Another great resource is the SAFECode, they have multiple publications on ensuring you are developing secure code.

"The Software Assurance Forum for Excellence in Code (SAFECode) is a non-profit organization exclusively dedicated to increasing trust in information and communications technology products and services through the advancement of effective software assurance methods. SAFECode is a global, industry-led effort to identify and promote best practices for developing and delivering more secure and reliable software, hardware and services. Its members include EMC Corporation, Juniper Networks, Inc., Microsoft Corp., Nokia, SAP AG and Symantec Corp."

If you are developing software, customers are requesting not only working code but also secure code. There is also an on-going trend in the software industry that business are including "secure code clauses" in their contracts with application developers.

Keep the code secure, use a secure engineering process!