Goal: Ensure that software products and applications are secure by design.
Key Elements:
- Software (Application) Development Security Policy:
- A comprehensive application security policy is necessary throughout the software development life cycle. This policy should define standards and procedures for secure development.
- Security Testing:
- The software development company will conduct security testing of its products and/or services.
- The organization should adapt tests based on the nature of the change, considering the impact and risk level associated with it.
- The software development company should present the user with:
- A list of tests performed during software development. This list must cover all major risks.
- A summary of results along with release notes for their product for the initial release and each subsequent significant release in the production environment.
- Representativeness of Security Tests:
- Security tests performed by the software/application developer will consider the environment in which the product will operate.
- Security Practices During Coding:
- Software security practices will be defined and required for developers to follow during coding, and measures will be in place to audit the effectiveness and compliance of these practices.
- Secure Coding Training and Awareness:
- A training and awareness program on secure coding practices will be provided for all developers who write software code.
Additional Notes:
- While eliminating risk entirely is impossible, these measures significantly reduce the likelihood of security vulnerabilities.
- It is important to keep up with cyber security trends, and adapt policies and tests to new threats.
- Automating security testing, is something that can greatly contribute to efficiency.