Whether the client organization develops its own software or leverages software provided by a third-party vendor, it should ensure that the security of this software is not an afterthought. Security should be an active component in the development process, not something that the organization applies reactively whenever an issue crops up.
Secure software development should follow a software development life cycle (SDLC). An SDLC focuses primarily on the design, development, and maintenance of applications and other software. Development passes through several phases, and ideally, security is incorporated at each of those phases. For example, the testing phase should include techniques like fuzzing and input validation to identify if the app is vulnerable to certain attacks before it is put into operation. Adhering to an SDLC is crucial because it helps ensure that there are no gaps in the software's security at any point from beginning to end.
Adhering to best coding practices is also an important component of secure software development. Some examples of best practices include writing code that:
- Is clear and easy for other developers to grasp.
- Has useful and informative documentation.
- Is easy to incorporate in the build process.
- Is highly extensible.
- Has as few external dependencies as possible.
- Is concise.
- Relies on well-established techniques.
- Integrates well with test harnesses.
- Closely aligns with design requirements.
Related to this, the organization should also actively avoid the insecure coding practices discussed in a previous lesson.