A secure development process like the one in use at Microsoft takes careful planning and lots of time to achieve. My company's been moving towards something like it since I started almost 2 years ago... here's how:
Testing
We figured testing would be the least disruptive starting point for this little paradigm shift. Somebody who understands the issues du jour should be able to get you going pretty quickly. (Consider tools like Fortify's SCA and Watchfire's AppScan here.) Don't overwhelm developers with a report that's hundreds of pages long with dozens of defects - they won't read it. Focus on the most severe vulnerabilities and get them looked at first.
Secure coding guidelines
While that's going on, you can start work on a secure coding chapter to add to your organization's coding guidelines document. The 2 main ideas to get across: input validation and output encoding, will prevent 80+% of the vulnerabilities hackers are exploiting these days. (The shorter this is the better.)
Developer training
When your guide's ready go through it with development. An hour long presentation or so should suffice.
Security audits of new code
Are developers actually following the recommendations you laid out in the last 2 phases? Use regular code audits to highlight the parts of your guide that have been internalized and which bits may need further evangelizing.
Security considered by designers
Security at design time is the ultimate goal. Security paid for up front is much cheaper and many times more effective than security that's bolted on at the end.
But don't expect things will change overnight. It may even be worth your while to get some help while you're ramping up (consultants?), ultimately though, you want your developers writing better code.
Subscribe to:
Post Comments (Atom)
1 comment:
Interesting to know.
Post a Comment