Zen 2.0

As a security professional and a developer, I have always been very frustrated in the carelessness of some developers when it comes to conforming to the simple security practices. The most common ones I see are throwing unchecked user inputs to the system call or database queries.

Ruby Qurashi’s article on Eight steps for integrating security into application development is a good summary of a process one should take to ensure security’s built into the applications from the start.

1. Initial review
2. Definition phase: Threat modeling
3. Design phase: Design review
4. Development phase: Code review
5. Deployment phase: Risk assessment
6. Risk mitigation
7. Benchmark
8. Maintenance phase: Maintain

The threat modeling step is, I believe, one of the most critical steps in this whole process. This belief is mainly due to that many of the application developers are not familiar with the various attacks that could happen to their software. This step would serve as a great training step for these developers.

If this step is performed correctly, the following steps will be much easier for everyone.

Good summary, worth reading.

Last Modified: Friday, December 9th, 2005 @ 09:20

This entry was posted on Friday, December 9th, 2005 at 9:18 am and is filed under Articles. You can follow any responses to this entry through the RSS 2.0 feed. Responses are currently closed, but you can trackback from your own site.