Enterprise Application Security through Secure Development May 19, 2014 by tal How critical is secure development? Web threats are constant threats to company security. A single data breach can cost companies thousands or even millions of dollars. If a malicious attacker gains unauthorized access to the company network, it can put sensitive company information, confidential customer and client information, and company assets at risk. Malware is the leading cause of data breaches, and malicious code can often be hidden in application code without detection. Applications, whether developed on-site or third-party implementations, must be completely secured. The cost incurred for each lost or stolen record containing sensitive and confidential information increased more than nine percent to a consolidated average of $145, while overall, the average data breach has increased 15% over the last year for total company response costs of $3.5 million. Secure development ensures that applications are free from flaws, defects and vulnerabilities that could potentially contribute to a company data breach, costing the company hundreds, thousands, or even millions of dollars. Secure development benefits Secure development lifecycle benefits range from network security, threat and vulnerability elimination, competent defense of a DDoS attack, data security and backup planning, and much more. This eliminates external, as well as internal threats, and provides secure application code for company developmental use. By creating a solid outline for secure development, companies can manage their application and network security in a simple, efficient and cost-effective manner. Security Development Lifecycle The Security Development Lifecycle is the process used for planning, creating, testing, and deploying an information system such as an application or other software. It also incorporates the security of the application code in order to ensure that there are no vulnerabilities or weaknesses that could be exploited by a malicious attacker. While the stages of the process vary depending on the type of software to be developed, there are typically five stages that are always constant. Analysis: This the pre-planning stage which involves collaboration between developers, management and consumers to determine the best course of action to take. Design: Developers use the results from the information gathering phase to develop prototypes and come up with a solid design for a final product. Coding: The software code for the application is developed, then undergoes extensive security testing including vulnerability assessment and penetration testing. Testing: The application is tested to see if it performs as expected, as well as to determine if there are any additional bugs or vulnerabilities not found during the coding phase. Deployment: The application is deployed across the system and integrated into the network to ensure proper usage and security. There are two methods of SDLC, waterfall and agile. The method used varies due to the complexity and size of the project. Secure coding during the SDLC As part of the SDLC, secure coding practices and testing is required. The developers should have proper training that provides them with proper certification and CPE credits. Compliance with ISO regulations including SANS Application Security Procurement Contract Language is essential for secure coding.