"The current state of secure software development by corporations both large and small is a mess.
Software vendors need to realize that they must begin exercising due
diligence when producing their software products. Microsoft dedicated
itself to secure development practices some years ago, yet its
developers are still taking months to fix reported vulnerabilities. If
an industry giant like Microsoft cannot get a grip, it really does not
bode well for the rest of the industry.
While many companies make a passing attempt at improving their
software products all too often other pressures win out. Software
companies that will delay a products launch for the sake of a code
audit, third-party threat testing, or an extended quality-assurance
(QA) cycle are few and far between. Sadly, the secure development life
cycle (SDLC) is not always adhered to by the software vendors, and the
first casualty in this process is typically quality assurance." –
Securityfocus
Part of my job involves creating an SDLC for the company I work for.
Having spoke with many companies both large and small I agree
with this article that most companies haven't figured out proper
integration of security testing in development and QA. I consider this
sort of initiative to still be fairly new to the industry with lots of
room for improvement. The real challenge is finding
the right balance for your specific development organization, and
understanding that one approach does not fit all even within the same
company.
Article Link: http://www.securityfocus.com/columnists/476
