Employee Training: A well-educated staff is vital to the success of any security program as humans are most often the weakest link. Training your staff returns greatly because education fosters a culture of security self-regulation. The results will be fewer bugs, fewer design flaws, and fewer simple mistakes often causing financial loss.
Security in the SDLC: The fast-paced world of online business requires organizations to constantly develop new Web-based promotions, products and services for attracting customers. This creates a high-pressure environment for new Web application code. Push now or die is the mantra. To maintain control and business flow, it is important to establish a process of secure code throughout the SDLC.
Defense-in-depth: Defense-in-depth is an industry best practice of building in multiple layers of security. Should any layer become breached, there is another layer preventing compromise. Because, let's face it, software has bugs and systems have weaknesses. By adding overlapping layers of security (input validation, database layer abstraction, server configuration, proxies, Web application firewalls, encryption, OS hardening, etc.), combined with frequent testing, the risks associated with security lapses are significantly diminished.
This was first published in January 2006