jump to navigation

Security in the Development Process November 21, 2013

Posted by karlkaluzny in Security.

I think that most people can agree that in this day and age, security is becoming more and more important with respect to software development.  If we assume that this is true, the question then becomes how can and should security be implemented into the system development process today.

The overall best way to include security into system design is to integrate it into the business culture.  A business culture is “…the values and practices shared by the members of the group…” or “…the shared values and practices of the company’s employees.” [1]  Security should be one of the shared values and practices that is shared by the employees of a company.  By doing this, it should always be on the back of the mind of each employee.  This should in turn reduce the blunders made by employees (i.e. being careless with security activities) which typically lead to security breaches.  I think that having a culture focused on security along with innovation is the best combination.  This has the greatest potential to lead to innovative new ideas for promoting security.  Additionally, if security is part of the business culture, then there is a much better chance that security activities will be integrated into software development activities.

I have limited experience with security in my job.  The article titled “Why Cryptosystems Fail” by Ross J. Anderson [2] highlights an important distinction between having a centralized security team or not.  The company at which I work does not have a centralized security team.  Security is a small part of the culture as well.  Security is mostly addressed; however, as part of the development process.  There is always a set of specific security requirements which follows the same process as any other functional requirement.  The problem with this approach to security is that it is handled by software developers who either don’t enjoy security tasks, or aren’t skilled in carrying out security tasks, or both.  For this reason I think that it would be beneficial to have a centralized security team.  However, the downside to this would be that there is yet another team within the organization that has a role in the development process and will necessarily add more overhead to the project development time.


[1] Reh, F. John, Company Culture: What it is and how to Change it. http://management.about.com/cs/generalmanagement/a/companyculture.htm

[2] Anderson, Ross J.  Why Cryptosystems Fail, November 1994, Communications of the ACM, Volume 37, Issue 11.



No comments yet — be the first.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: