When thinking about computer security, the focus is often on network-related issues: firewalls, spam filters, and anti-virus are some of the most visible parts of many security strategies. However, there is another set of concerns with potentially even more severe impacts: vulnerabilities in the software that runs your organization. Depending on the nature of your business and its size, this may be third-party software, in-house code, or a combination of both.
The security of a piece of software is similar to its overall quality: it's not something that can be added at the end, but rather it must be built into the development process from its earliest stages. This is comparable to engineering in the physical world, for example building a bridge: if quality is not considered from the start, it would be very costly to replace all of the bolts if they turn out to be weak or defective later on. Similarly, security should be considered in requirements, design, coding, testing, and deployment, whether these activities are performed by a third-party vendor or by your own organization.
There are four main topics to consider when addressing software security: third-party risk, application penetration testing, source code review, and architecture/design review. We'll cover each of these below, including considerations when selecting vendors who may provide services in these areas. We'll also discuss automated versus manual testing, how to leverage security automation during coding/testing, and how to build security into the software development lifecycle at the organizational level.
The security of a piece of software is similar to its overall quality: it's not something that can be added at the end, but rather it must be built into the development process from its earliest stages. This is comparable to engineering in the physical world, for example building a bridge: if quality is not considered from the start, it would be very costly to replace all of the bolts if they turn out to be weak or defective later on. Similarly, security should be considered in requirements, design, coding, testing, and deployment, whether these activities are performed by a third-party vendor or by your own organization.
There are four main topics to consider when addressing software security: third-party risk, application penetration testing, source code review, and architecture/design review. We'll cover each of these below, including considerations when selecting vendors who may provide services in these areas. We'll also discuss automated versus manual testing, how to leverage security automation during coding/testing, and how to build security into the software development lifecycle at the organizational level.