SECURE SOFTWARE DEVELOPMENT PRACTICES
The Importance of Secure Development
With the vast amount of threats that constantly pressure companies and governments, it is important to ensure that the software applications these organizations utilize are completely secure. Secure development is a practice to ensure that the code and processes that go into developing applications are as secure as possible. Secure development entails the utilization of several processes, including the implementation of a Security Development Lifecycle (SDL) and secure coding itself.
Secure Development Lifecycle
Integrating security practices into the software development lifecycle and verifying the security of internally developed applications before they are deployed can help mitigate risk from internal and external sources. Using Veracode to test the security of applications helps customers implement a secure development program in a simple and cost-effective way.
The Security Development Lifecycle (SDL) is a software development security assurance process consisting of security practices grouped by six phases: training, requirements & design, construction, testing, release, and response.
One of the important steps in secure development is integrating testing tools and services such as Veracode into the software development lifecycle. These tools allow developers to model an application, scan the code, check the quality and ensure that it meets regulations. Automated secure development testing tools help developers find and fix security issues. Secure development services like Veracode also offer secure development training so that developers can become certified in secure development and gain further education and insight into issues that they may have created.
Secure development can be incorporated into both a traditional software development lifecycle and the rapid pace agile development (see whitepaper on Successful Application Security Testing). Veracode also provides the ability to conduct security assessments on applications during the SDLC.
In order to achieve secure coding, Veracode provides governance, operating controls, eLearning and application intelligence on top of its scanning capabilities. For more information on what Veracode can do to provide secure coding in the software development lifecycle, view the "Best Practices in Secure Coding for the SDLC" webcast with Secure Development expert, Jon Stevenson.
The Veracode secure development platform can also be used when outsourcing or using third-party applications. By setting an acceptable security policy with its vendor, an enterprise can ensure that the dealer's software development policies meet its needs.
Through the use of Veracode eLearning, developers have access to web-based training for secure development that also provides them with certification and CPE credits. With Veracode secure development eLearning, enterprises are given the ability to measure and track their developers' progress, helping to comply with ISO regulations and industry standards such as SANS Application Security Procurement Contract Language. With eLearning, developers can learn secure coding for languages such as ASP.NET, J2EE, and C/C++, as well as study the fundamentals of secure development. More information on Veracode’s eLearning capabilities, as well as a full listing of the curriculum can be found here.