Denim group recommends 10 ways for software developers to interact more effectively with information security teams.
SAN ANTONIO, USA: Denim Group, an IT consultancy that develops secure software and helps organizations assess and mitigate risk with their existing software, provides guidance to software development teams looking to collaborate better with security teams.
Software development teams are constantly under pressure to release new software products on a timely basis. While security requirements are acknowledged as important, features and functionality are typically at the top of the priority list for new releases.
Given the increase in application level attacks, inclusion of security requirements will be a constant facet of software development efforts in the future.
The following list represents best practices Denim Group has observed in client environments where software development teams collaborate effectively with security teams:
1. Have at least one developer on the team who is able to speak in depth about security. Hire someone specifically for this purpose, or grow someone within the team.
2. Run all developers through some form of security awareness training.
3. Make a list of your applications with some of their characteristics, and share this list with your security team.
4. Use one of the freely available web proxies or application scanners to test one or two of your applications.
5. Download an easily attainable source code scanning tool, and run it against your code.
6. Benchmark your team against a software security maturity model, such as OpenSAMM.
7. Reach out to your security team with the results of your initial efforts. Take the initiative in order to encourage activity on your schedule.
8. Move any vulnerabilities that have been identified into your defect tracking system so they can be prioritized and systematically addressed.
9. Fix some of the vulnerabilities identified in your applications. Prove you are taking security seriously by picking a handful of the most critical vulnerabilities and fixing them.
10. Ask for input from the security team at the beginning of a new project or development effort.
â€œProactively opening lines of communication between software developers and information security professionals will help ensure vulnerabilities are identified and fixed more quickly. This will help avoid business disruption and ultimately save organizations time and money,â€ said Dan Cornell, chief technology officer of Denim Group.