Why software teams need disciplined structure to reduce security bugs

An athletics footware manufacturer has a slogan that says, “Just do it.” It’s also a command that leaders of some organizations issue to their applications developers.

However, if application security isn’t rigorous and disciplined just getting it done will lead to risks to the enterprise. That’s why the DevOps movement, which emphasizes collaboration between developers and IT is so important.

Jim Ivers of Cigital, which offers a number of services including application security testing, argued in a column this week that successful development teams must have a software security group (SSG) and a software security initiative (SSI).

An SSI is the set of activities necessary to build security into the development process, rather than the reactive process of bolting security onto existing software. The SSG is the group that makes the SSI work. As Ivers describes it, the software security group provide policies and processes, and liases between development team and IT Security.

Successful software security means testing applications to get results that are observable, measurable, and consistent. And without a formal and disciplined approach your group isn’t going to get that.

“For firms with an SSI/SSG, habits and process are the critical success factors,” writes Ivers. “Staff is not only trained, but incentivized to raise their security IQ. There are clear paths of communication between the security team and the developers. Experienced organizations learn that security is not a drag on performance, but can provide productivity gains by eliminating security vulnerabilities early in the development process. Effective metrics are produced to demonstrate to management the value of the program and reduction of risk.”

It’s imperative that DevOps teams cut the number of flaws in code. There are any number of tips, tricks and lists of ways to avoid security design mistakes. One of the most recent was issued by the IEEE last fall, and the SANS Institute has a list of the top 25 software errors. But unless there is a disciplined software development process teams will still churn out applications that have too many bugs.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now