Secure Software Development & Procurement

By implementing secure development procedures, the safety of the software can be ensured already during the development stage. Security cannot be applied to software as an aftertought. Solid security is built on addressing identified threats and following best practices.

Security is a vital consideration already in the early stages of the project, i.e. project requirement specification, procurement and design. Security should be considered as important as other quality factors when compiling program code or configuring a system. In other words, relevant issues should be addressed and best practices followed from the start.

Cost of a security fix or modification is significantly less when done in early stages of development rather than in testing or maintenance phase. An early security fix also becomes a genuine part of the software and is treated accordingly, instead of being just a separate patch to a symptom.

When information security is an integral part of development, the system can be accessed directly. This allows security experts to not only identify vulnerabilities but also isolate dormant weaknesses and risky solutions.

The security awareness and expertise of the developer team are as important as the information security of systems. Critical factors include addressing information security during the development process (Scrum, waterfall or other), information security documentation and audit practices, identification of new threats, secure design patterns as well as the allocation of safeguard responsibilities between the application and the architectural framework. In many companies, a software development security expert or team supports the developer team in these matters, and also provides instructions, guidelines and advice regarding information security.

Security in software specifications

Incomplete or even contradicting specifications lead to insufficient security implementation. Reaction to unexpected events or even known attack mechanisms are left undefined, leading to unexpected behavior of software and to potential vulnerabilities.

Ensuring compliance

Organizations need to comply to external requirements, such as Tietoturvatasot, privacy legislation or PCI, or consider recommendations such as VAHTI secure software development guidelines. 

Managing software security risk

To manage security risks and to accept the unmitigated ones, one must know what threats are involved and what protections apply to them. The owner of the system or software needs to manage acceptable risk and also ensure new risks are discovered as they emerge.

Information Security Inspections

Security auditing services from PCI audits to information system intrusion testing
Read more

Compliance Management

Bringing requirements under unified compliance management
Read more

Nixu Security Lead

Helping developer teams to build secure software from day one
Read more