Many organizations view secure coding as an activity that is supposed to happen at the end of the development process. However, if someone testing an application at the end of the development lifecycle says an application needs recoding to ensure its security, that application will need to be reworked and retested, along with any other application that interacts with it. This constant tweaking is often far more expensive than implementing an iterative security process throughout an application development lifecycle.
If there is a field called "State," for example, there is no reason to allow <, > ;, *, --, or : as possible values. If application developers write code from the perspective of only accepting known good values, it decreases the overall cost of application development by cutting quality assurance and certification and accreditation testing.
For more help, a great framework to use is the Scalable & Agile Lifecycle Security for Applications.
Dig Deeper on Web application and API security best practices
Related Q&A from John Strand
Expert John Strand reveals an interesting way of addressing man-in-the-middle attacks. Continue Reading
Expert John Strand explains how to shore up security as you plan a large-scale advertising campaign. Continue Reading
Expert John Strand reveals two exciting trends in antivirus software. Continue Reading