A secure software development life cycle means having the policies and procedures in place that consider--and enforce--secure Web application development from conception through defining functional and technical requirements, design, coding, quality testing, and while the application lives in production. Developers must be trained to incorporate security best practices and checklists in their work: Have they checked their database query filtering, or validated proper input handling? Is the application being developed to be compliant with best programming practices? Will the application adhere to regulations, such as HIPAA or PCI DSS? Putting these types of procedures in place will dramatically improve security during the Web application development process. Having developers check field inputs and look for common programming mistakes as the application is being written also will make future application assessments flow much more smoothly.

While developers need to test and assess the security of their applications as they're being developed, the next major test of the software development life cycle processes comes after the Web application development is completed. This is when the entire application, or a module, is ready to be sent to the formal testing phase that will be conducted by quality assurance and security assessors. It's during this phase of the software development life cycle that quality assurance testers, in addition to their typical tasks of making sure performance and functional requirements are met, look for potential security problems.

Many companies make the mistake, during this phase, of not including members of the IT security team in this process. It's our opinion that IT security should have input throughout the software development life cycle, lest a security issue surface later in the Web application development process--and what could have been a small problem is now a big problem.

Putting these types of processes in place is difficult work, and may seem onerous at first. But the truth is that the payoff can be huge: your applications will be more secure and your future security assessments won't feel like fire drills. There are software development life cycle models and methodologies that could help direct you, such as the Application Security Assurance Program (ASAP), which puts a number of guiding principles in place necessary for building secure code, including executive commitment, considering security from the beginning of Web application development, and the adoption of metrics to measure coding and process improvements over time. A good primer is The Security Development Lifecycle by Michael Howard and Steve Lipner (Microsoft Press, 2006).