SECURITY RESOURCES > FAQs
Software is only secure if it is written that way. Countless studies and analyst recommendations suggest the value of improving security during the software development life cycle (SDLC) rather than trying to address vulnerabilities in software discovered after widespread adoption and deployment. Organizations can minimize software risk by implementing source code security testing into the software development life cycle.
To learn 3 major models for integrating source code vulnerability testing into the software development life cycle, and how to merge security expertise with development resources, please refer to Secure at the Source: Implementing Source Code Vulnerability Testing in the Software Development Life Cycle.
The ongoing epidemic of data breaches and the resulting notification requirements forced by today's data breach disclosure laws and compliance standards has painfully highlighted the insecurity of many of today's applications. Some regulations, such as PCI, specifically require software security audits as part of the compliance process in an effort to mitigate and manage the risks to sensitive data.
For more information about risks to confidential information and how to build security into the PCI compliance process, read the white papers Managing the Risks of Identity Theft and Meeting the PCI Application Security Standards: Building Security In.
Automated source code analysis is widely recognized as the most effective method of security testing early in the life cycle, because it allows assessments of any piece of source code without requiring a completed application. The best of these technologies provide the most valuable results by pinpointing each security vulnerability at the precise line of source code and detailing information about the type of flaw, degree of criticality, and how to fix it. Penetration testing is also an important element of software security, but its value comes later in the life cycle, when it can be used on a completed application with a functional interface.
There may be initial lapses in the development cycle, especially as individuals learn the new system. However, source code security testing is the most time-efficient method for reducing software risk, and the process eventually reduces development time by instilling good secure coding practices among developers. The only faster alternative is to do nothing to improve software security, an option that most organizations certainly cannot afford in the long term.
For descriptions and examples of top source code security vulnerabilities please refer to The Path to a Secure Application: A Source Code Security Review Checklist