Application Security from the Beginning No Longer Such a Tough Nut to Crack


I remember application security from the good old days -- there was none. We coded up a C-program or a Fortran program and crossed our fingers. As application security matured, we started reviewing code line-by-line for security defects; it's all there was. We made many, many mistakes along the way. Back then, we were not that smart. We were only interested in security during the development (coding) phase. Someone grew some brain cells and realized that it would be better to include security in the design (architecture) phase. We were pretty slick and started to get ahead of things. Today, we now know that we need to include security in every phase of the software development lifecycle. Now, even though we all understand this, we still don't always have very good tools to help us.


Softtek has recently launched a new application security service called ARMOR, or Application Risk Management, Ongoing Reassurance. ARMOR detects, corrects and prevents defects throughout the System Development Life Cycle (SDLC). ARMOR tests for vulnerabilities through white, grey, and black box security assessments while making recommendations, providing guidance and creating metrics. I've been impressed with Softtek for some time, in part because of their deep case study library, on which they base their software development, and their CMMI level 5 certification.


The obvious advantage to any tool that can detect, correct, and prevent vulnerabilities early in the SDLC is that it will save an organization time, money, and code rework. I am a firm believer in getting security involved in application development as early as possible. And how do you get budget approval for this type of tool? I suggest presenting to management a solution like this one which, with its white, grey and black box assessments, precludes the need to use multiple tools, and includes a measurement system that will allow the security team to track their improvements in integrating security over time. When does security get involved in application development at your organization?