Process Improvements

Process Improvements

Ignoring for just a moment the education required for the entire development team I'll address education issues in detail in the next section, The Role of Education we need to update the software development process itself. What I'm about to propose is not complex. To better focus on security, you can add process improvements at every step of the software development life cycle regardless of the life cycle model you use.

Figure 2-1 shows some innovations that will add more accountability and structure in terms of security to the software development process. If you use a spiral development model, you should just bend the line into a circle, and if you use a waterfall approach, simply place a set of downward steps in the background! I'll discuss each aspect of these process improvements and other matters also important during various steps in the process in detail throughout this chapter.

Figure 2-1. Incremental security improvements to the development process.

You'll notice that many parts of the process are iterative and ongoing. For example, you don't hire people for your group only at the start of the project; it's a constant part of the process.

The best example of an iterative step in a software development process that makes security a high priority is the first step: education. I think the most critically important part of delivering secure systems is raising awareness through security education, as described in the next section.