Is In-House Development Causing Compliance Breaches?
Share This -
Thursday, 03 September 2009
By Lauren Taylor
It is well known that compliance and security problems are often a direct result of deficiencies within application software. As network security improves, attacks are targeted toward applications from the Internet. This leads compliance professionals to pay lots of attention to software engineering practices.
The challenge for in-house teams is to avoid the ever-present penetrate-and-patch approach to compliance by developing more secure code in the first place. Why wait until the doors are literally open to see how you can protect systems?
It's no wonder that including compliance and security early in the requirements and development stages will result in less expensive and more effective security than trying to tack it on at the end, or, worse yet, after the development lifecycle. There should be an awareness and focus on how to integrate key controls from ISO 17799 -- the international compliance standard -- into all phases of the software development life cycle (SDLC) process.
From inception to implementation, SDLC is a proven framework that has evolved over time for successfully developing software. The different models -- i.e., "waterfall versus agile" -- will not be addressed here. However, regardless of which SDLC model is used, there are uniform phases that need to be included. These are:
Project initiation and requirements definition
System design specifications
Develop and document
Implementation (transition to production)
Operations and support (post installation)
Evolution and disposal
To successfully include compliance and security in any SDLC model, the development process must:
Be based on principles that adhere to a recognized standard for information security and privacy
Be focused on risk analysis and compliance
Include tasks and steps designed to ensure compliance to standards such as ISO 17799 and other regulations
Include security/data privacy/regulatory requirements, approvals and validation points
Have senior IT management support as well as commitment from information and business process owners
Several technology vendors offer what is called a "security development life cycle" method for understanding and implementing best practices. There are also several highly specialized organizations that can provide valuable training and coaching on the latest threats and vulnerabilities. It is much easier and less costly to "bake in" controls rather attempt to "brush them on" after the fact.
Be prepared, though, to face some cultural challenges, as fundamental change is not easy. This is especially true when it comes to spending time and money on what is perceived as "non-functional" deliverables. The greatest design can be overshadowed by exploits in systems with poorly designed security controls. Costs of non-compliance often exceed development costs.
Only registered users can write comments. Please login or register.