what is exactly mean by Secure Application Development ?
Before knowing the secure application development, lets understand
What is Software Development Life Cycle (SDLC) ?
SDLC, Software Development Life Cycle is a process used by software industry to DESIGN, DEVELOP, TEST and DEPLOY high quality softwares. It is also called as Software Development Process. The Software Development Life Cycle (SDLC) is a framework defining tasks performed at each step in the software development process.
Secure Application Development is a process which has security perspective touch in every functions of application development, as well as security milestones. Secure Development's go above and beyond the regular software software development life cycle in order to ensure that the application being deployed are secure upon release, without creating a delay in the original software development life cycle.
Within each stage of Software Development Life Cycle (SDLC), There are security processes to be done during that time:
1. Risk Assessment,
2. Threat modeling and Design review
3. Static Analysis
4. Security Testing
5. Code Review
6. and finally Security Assessment and Secure Configuration.
Best Practices for Secure Application Development:
Create a policy of breaking the build when a medium or high-level vulnerability is discovered. Don't drag your application and organization at risk - make sure the apps you're releasing are free of high-risk vulnerabilities.
Understand your business and protect it with secure applications. If you know the risks that your business faces then it's easier to develop software that protects against those risks. Application development security can offer risk prevention in the form of slowing down an approach to market (like applying breaks in a car) or speeding it up (like pushing the accelerator) the trick is to know which is needed and when.
Know the technology of your application. You need to consider the technology across your platform. The language of your environment may be dictated by security concerns - for example un-managed code may offer higher susceptibility to overflow attacks than managed code environments. You need to examine the hosts, network segregation and key infrastructure, in addition to the coding environment and ensure there are no obvious (or non-obvious) holes.
Compliance is Key. Ensure that compliance requirements are met through your secure application development life cycle by ensuring all testing, code reviews and pen-tests are included within your process. The Secure Application Development Life Cycle goes beyond just security to also include governance, regulations and privacy framework compliance as required by your environment.
Educate the Developers. It's essential that your developers understand the importance of Application Security concepts like confidentiality, integrity, availability, authentication, and authorization.
Keep Learning. Security is an evolving field. Application development security requires a constant cycle of review, education and implementation. Best practices today may not be best practices tomorrow. Most importantly it's vital that everyone in your team recognizes that security is everyone's job and commit to their part in this.