What primary activities should enterprises implement to ensure the security of their applications?
Requires Free Membership to View
When you register, you'll receive targeted emails designed to keep you informed of the most relevant information on Agile development, application security, testing & QA, software requirements, and more.
Hannah Smalltree, Editorial Director
All enterprises should be 1) offering employees best practices training, 2) establishing security throughout the software development life cycle (SDLC), and 3) establishing a policy of defense-in-depth.
Employee Training: A well-educated staff is vital to the success of any security program as humans are most often the weakest link. Training your staff returns greatly because education fosters a culture of security self-regulation. The results will be fewer bugs, fewer design flaws, and fewer simple mistakes often causing financial loss.
Security in the SDLC: The fast-paced world of online business requires organizations to constantly develop new Web-based promotions, products and services for attracting customers. This creates a high-pressure environment for new Web application code. Push now or die is the mantra. To maintain control and business flow, it is important to establish a process of secure code throughout the SDLC.
Defense-in-depth: Defense-in-depth is an industry best practice of building in multiple layers of security. Should any layer become breached, there is another layer preventing compromise. Because, let's face it, software has bugs and systems have weaknesses. By adding overlapping layers of security (input validation, database layer abstraction, server configuration, proxies, Web application firewalls, encryption, OS hardening, etc.), combined with frequent testing, the risks associated with security lapses are significantly diminished.
Employee Training: A well-educated staff is vital to the success of any security program as humans are most often the weakest link. Training your staff returns greatly because education fosters a culture of security self-regulation. The results will be fewer bugs, fewer design flaws, and fewer simple mistakes often causing financial loss.
Security in the SDLC: The fast-paced world of online business requires organizations to constantly develop new Web-based promotions, products and services for attracting customers. This creates a high-pressure environment for new Web application code. Push now or die is the mantra. To maintain control and business flow, it is important to establish a process of secure code throughout the SDLC.
Defense-in-depth: Defense-in-depth is an industry best practice of building in multiple layers of security. Should any layer become breached, there is another layer preventing compromise. Because, let's face it, software has bugs and systems have weaknesses. By adding overlapping layers of security (input validation, database layer abstraction, server configuration, proxies, Web application firewalls, encryption, OS hardening, etc.), combined with frequent testing, the risks associated with security lapses are significantly diminished.
This was first published in January 2006