publication of the International Legal Technology Association
Issue link: https://epubs.iltanet.org/i/192213
FIVE STEPS TO BUILT-IN XXXX SOFTWARE SECURITY on the security posture and approach required in the product. Are there customer and/or regulatory requirements that need to be met? It is easy to make quick product decisions based solely on •Layered defenses The key security issues at this stage include: •Fail safely and securely Is security a baseline requirement that needs to be met, or do we want to make security a competitive advantage? Historically, project teams have viewed security requirements as if they take away from a feature or customer request. However, this doesn't always have to be the case. What if security could be your competitive advantage? Security teams and product teams can work together to identify areas that put the product far ahead of the competition. This is particularly important in areas such as enterprise-grade mobile applications where there is a stronger customer emphasis on security. The security strategy has to be discussed and positioned at this stage. Decisions regarding technical security issues, such as encryption strategy for data in transit and data in rest, need to be made at this point. technical and budget considerations. For example, when given the option of setting up a hosted gateway for authentication for all customers versus the option of individual gateways hosted by each customer, the decision usually is based on cost and functionality. Development teams, however, do not consider themselves and their company inserted into the customer's operational and compliance environment by hosting a gateway. When the compliance environment is evaluated, the hosted gateway can turn out to be significantly more costly and technically complicated if the product is required to comply with privacy or health regulations. less likely to write code that is susceptible to that vulnerability. In addition to an understanding of common vulnerabilities, a good security training program also covers how to write secure code. Training on how to build secure code is perhaps the best investment a company can make for secure development — it will pay back in manifold ways over the life of the product. This training would include topics such as: •Mixing code and data or code and passwords A developer who understands how to build secure code will write secure code for every project, resulting in saved time and risk, again and again. A good security program also is dynamic in that the content of the program changes regularly to reflect emerging trends within and outside the company. SECURITY REQUIREMENTS Gathering requirements is done early in product development and is the stage at which various critical and high-level decisions are made about the product. The product manager, who drives requirements-gathering, must make a decision Some questions to consider are: •Do the majority of the customer base require a static security scan and penetration tests from all its vendors of hosted services?