Discover Performance

HP Software's community for IT leaders // March 2012

Get developers thinking security in four steps

Security is already the apps team’s problem, so it’s time to enable them to create secure code from the get-go. Start here.

Most enterprise developers pay less attention to security issues than to functional and performance requirements. But they almost always end up dealing with security—after the security team or end users find problems. The CIO and VP of Applications see their costs rise and deployment slow as developers spend hours or days in rework mode, while the application is not out there driving potential revenue for the business. And that’s the upside. The consequences can be far worse when vulnerabilities surface after release.

Rather than approach security reactively, leading IT organizations are empowering developers to build in security during the application development process. Software security assurance (SSA) is a holistic approach that helps apps teams to build apps that are more secure and that get to market faster, allowing the security team to focus more on perimeter security.

Here’s the four-step start to motivating and enabling your team to develop secure applications.

Step 1: Educate

First, build awareness about why SSA is important. It’s not just another responsibility to add to developers’ workloads; it’s fundamental to developers doing their jobs better, and it saves them—and the entire enterprise—time and money later.

Next, seek out workshops, conferences, certifications, and seminars from educational organizations such as the SANS Institute. Web app teams can benefit from specialized training and networking opportunities from organizations such as the Open Web Application Security Project (OWASP), which offers guidance and a knowledge base for how to address web app security issues. Developer’s love to learn, and there are many resources available to help them.

Step 2: Assess risk and prioritize

You can’t transform app security overnight, so focus your efforts wisely. Ask these questions:

  • What’s the status of your current apps? Which, if any, have been security tested or assessed by an outside organization?
  • Which of your apps are subject to compliance rules or government regulation?
  • Which apps are top priority, security-wise, for the business? Where might there be high risk to customer data, satisfaction or loss of revenue?

Step 3: Design a process
Allow for the gathering, management and tracking of security requirements, just as you track any other type of requirement. If you are using an ALM tool for requirements definition and management, create a template for security requirements or user stories, share it among teams and make it part of the project scope or iteration. It’s also important to institute threat modeling. Consider having coders write user stories that capture what the user—in this case, the hacker—wants to accomplish. “As a hacker, I want to attack HTTPS by injecting malicious Java script libraries into a browser cache.” After ranking potential threats, developers will follow the same “design, code, test” process. But in this case, they will eliminate potential vulnerabilities instead of just adding functionality.

The Open Software Assurance Maturity Model (OpenSAMM) has additional best practices for how to integrate software assurance into the design process.

Step 4: Begin to integrate the right tool sets

At some point, you’ll want to start integrating tool sets to facilitate SSA. Look for solutions with the following features:

  • Static analysis tools, which you will use during development to find issues in source code as part of the build process.
  • Dynamic analysis tools, which will attack the application using techniques a hacker might employ and uncover vulnerabilities.
  • A management framework and application governance capability to help you manage a program around testing. You’ll need a tool that can both aggregate testing results and manage issue remediation.
  • Integration of your security tools and their metadata into your ALM environment so that security requirements and defects can be managed as part of the milestone progress or iteration/sprint deliverables.

The security team needs to free up time to focus on perimeter security, where hackers are targeting an increasing number of attacks. That’s possible only when the apps team is empowered to ensure code security from the start. For more information on getting started with software security assurance, read Fortify’s “Why Software Security Assurance?” page.


IT leader assessment

This tool evaluates the correlation between IT attributes and business success and, based on how your answers compare with average scores, will advise you where to invest in IT.

It is based on data HP collected from 650 global companies about a range of IT characteristics (server capacities, approach to information management, security, BYOD, etc.) and how they correlate to revenue gain. This assessment will compare your answers to the average scores in that study.

There are 12 questions that will require an estimated 10 minutes of your time. You'll receive a summary of your rating upon completion.

Let's get started

Please select an answer.


Your answer:
Your score:
Average score:
Revenue leaders' score:


Please select an answer.



Your score:
Average score:
Revenue leaders' score:

Get detailed results:


Popular tags


Discover Performance Weekly

HP Software’s Paul Muller hosts a weekly video digging into the hottest IT issues. Check out the latest episodes.

Faster dev, better apps

The authors of the Capgemini-Sogeti World Quality Report discuss emerging trends in testing, including shifting roles and techniques.

Enterprise 20/20

Dev Center 20/20

How will we organize development centers for the apps that will power our enterprises?

Introduction to Enterprise 20/20

What will a successful enterprise look like in the future?

CIO 20/20

Challenges and opportunities for the CIO of the future.

Marketing 20/20

Welcome to a new reality of split-second decisions and marketing by the numbers.

IT Operations 20/20

How can you achieve the data center of the future?

Employee 20/20

What the workforce of 2020 can expect from IT, and what IT can expect from the workforce.

Security 20/20

Preparing today for tomorrow’s threats.

Mobility 20/20

Looking toward the era when everyone — and everything — is connected.

Data Center 20/20

The innovation and revenue engine of the enterprise.

Read more

HP Software related

Most read articles

Discover Performance


Tweets @ HPITperformance