Building Security into the Software Life Cycle, a Business Case presented at BlackhatUSA 2006

by Marco M. Morana,

Summary : The times of designing security software as a matter of functional design are over. Positive security functional requirements do not make secure software. Think risk driven design, think like an attacker, think about negative scenarios during the early stages of the application development from misuse and abuse cases during inception, to threats, vulnerabilities and countermeasures during elaboration, secure coding during construction and secure testing and penetration testing during transition to the production phase. The short turbo talk objective is not to cover the academics of secure software, but to talk about a business case where software security practices and methodologies are successfully built into software produced by a very large financial institution. Both strategic and tactical approaches to software security are presented and artifacts that support a secure software development methodology. The critical link between technical and business risk management is proven along with business factors that drive the case of building secure software into a financial organization.