Software security is everyone’s problem

Good news about Web security is much rarer than it should be. There was some encouraging news recently, however. A report from WhiteHat Security found that over the course of a year, 66% of known vulnerabilities were corrected. When one considers how terrifying security reports usually are, happy surprises such as these are to be celebrated.

But before you break out the champagne, it might be prudent to read about the report’s other, terrifying findings. Spoiler alert: CSRF attacks are primed and ready for massive destruction. As you can see, application security is a moving target. Once you’ve protected against one threat, attackers come at you using a different weapon.

Sadly, a small percentage of software professionals realize how important requirements gathering is for security. Business analysts can educate themselves with Kevin Beaver’s tip on writing software requirements that address security issues and Rob Apmann’s Q&A on how to address security during requirements gathering. And project managers should check out a free chapter from Software Security Engineering: A Guide for Project Managers. Requirements Engineering for Secure Software offers a gentle introduction to the subject.

We receive many questions from readers about requirements gathering for applications that need protection built into them. A site that processes credit cards or any other kind of sensitive information must be created with security as a major priority. Rob Apmann recently advised how to gather requirements for a payroll application. The first thing to do, he said, is to gather non-functional requirements such as the scale of the system and whether it is Web-based “so that you start with an architecture that will be secure and meet your deployment needs.”

Like industry experts have been saying for years, security needs to be addressed at every part of the development life cycle — requirements, design and architecture, programming, testing, and QA.