Through fuller integration of security and development activities, the effectiveness and efficiency of security assessment will be increased and streamlined, the associated costs greatly reduced and organisations will enjoy the return on security investments (ROSI) at a greater rate. Until then, however, those organisations that are already using secure development implementation early in their development cycles will be able to continue to reap greater advantages over their competition. . . .
Thankfully these days' assessing the security of an application prior to implementation is a normal process for most organisations. Organisations accept the view that the earlier in the implementation cycle that security issues are identified, the greater the return on investment (ROI). However with such a mature attitude to implementation, it is hard to understand why organisations are not applying the same principals to the software development cycle as a whole. In fact currently there are only a limited few that are following best practice recommendations in regard to secure development and reaping the financial rewards that increased development controls bring.

Secure development is the process of authoring software in such a way as to embrace information security at every stage of the cycle. By addressing information security issues at the design and prototype stages, huge savings in development costs can be made. Additionally, projects can be delivered faster, and post implementation maintenance costs can be minimised. There are a number of ways that this can be undertaken, but the most common procedures involve phased security assessments and reviews that encompass knowledge share; design assessment; component, system, user interface and production testing and regular security health checks.

It has long been documented that security issues & vulnerabilities identified within applications commonly derive from development or design flaws. Although consuming between 5-15% of a project's overall budget, organisations have learnt that the savings yielded by phased security assessments far outweigh the costs of performing them. Empirical data and industry studies have shown that the absolute cost of fixing a security issue decreases significantly, relative to how early that it is identified in the development cycle.

The link for this article located at net-security.org is no longer available.