Acid test for secure development

The March 1, 2007 issue of CIO magazine lays out questions for customers to ask you about your software development environment, and how to evaluate the answers. The first 5 questions are in print:

1. Do you review security at each phase of the software development life cycle?
2. What methodologies do you use for security testing your products?
3. Do third parties conduct security assessments on your products?
4. Do you have security squads that attack your products prior to release?
5. Do you use automated tools for security testing or code review?

and they have another ten questions in the full online article here. I can tell you that most of the places I have worked would provide really poor answers to these questions even today.

For those of you out there with products products which have access to your customer's networks and data: get yourself a roadmap for developing the skills in your organization so that you can credibly answer these questions well. Educate your management to get the funding and time required. We've gotten away with some amazingly casual attitudes towards protecting our customers, but those days are rapidly vanishing.