Automated quality assurance-verification tools are often used to test software once it has been built, either by...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
performing automated code analysis or vulnerability testing. The latter approach simulates an attacker hacking away at the application, while the former plays the role of an intelligent examiner that reviews the code; product examples include offerings from Ounce Labs Inc., Fortify Software Inc., and SPI Dynamics. For basic testing, you can have your own coders review each other's work, or you can hire an outside coder to offer a fresh perspective on where the gaps may lie.
Despite advances in computer automation, humans are still superior at ensuring applications are developed securely, probably because the best challenge is posed by humans, notably those who can think as an attacker would. However, human work is often more effective if a framework guides it. There are numerous examples of secure software development life cycle processes. The U.S. Department of Homeland Security is a good starting point to learn more.
While some of these frameworks have been applied to massive projects, such as aircraft flight control systems, other development guides can be readily used for much smaller initiatives. Such is the case with Microsoft's Trustworthy Computing Security Development Lifecycle, which breaks the build process into six phases: requirements, design, implementation, verification, release and support/servicing. And while Microsoft is hardly synonymous with software security, the company's Security by Design initiative is a valuable contribution to the creation of more secure applications.
- If your application development process is not yet addressing security at all six phases, now is the time to start. In the meantime, be sure to read Ed Skoudis' article on software development best practices that can prevent input-validation attacks.
Dig Deeper on Secure software development
Related Q&A from Michael Cobb
An ImageMagick vulnerability known as Yahoobleed could give hackers access to Yahoo servers. Expert Michael Cobb explains the flaw and how Yahoo ...continue reading
Google's new security platform, Google Play Protect, looks to decrease Android app security threats through machine learning. Michael Cobb explains ...continue reading
Microsoft collects data using Windows 10 telemetry features. Expert Michael Cobb explains what type of data is collected, and whether enterprises ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.