Whether you’re thinking about developing for your intranet or making services available to customers via web based applications, security should be something you take into account from the start. Before you plan your next project, consider these steps to building a more secure application:

Define security expectations

Security isn’t something that can be grafted on to an application after everything is put together. Instead of a scramble to fix security flaws after they happen, a proactive approach can guarantee that certain classes of security errors don’t even make it in to an application.

Defining security expectations and methods of measurement in advance allows companies to assess and validate security during all phases of development. There’s no one-size-fits-all technique to securing applications and data, but the following approaches are a good starting point:

• Make security measurements a project milestone just like features or other deadlines.
• Add security verification to your quality checkpoints.
• Plan time and resources for threat modeling.
• For large or critical projects, consider putting together a team devoted to security.

Educate project teams

Security hasn’t always been a priority in application development, so not all developers, project managers and quality engineers have the training they need to design and implement secure development. While books and training are a good starting point, there is no substitute for real word experience.

• Online and computer-based courses let workers learn at their own pace.
• A good reference library allows teams to refresh their knowledge as needed.
• A test lab where team members can interact with known exploits gives hands-on experience.
• Sharing root-cause analysis with other teams helps avoid repetitive problems.
• Discuss security with other professional through organizations such as the Open Web Application Security Project or the Web Application Security Consortium.

Use the right tools

Team members need to be equipped with the tools and technologies that assist them in building applications securely from the start. In addition to bolstering your security efforts, the right tools can speed up otherwise manual security reviews. Common practices, frameworks and architectures can help ensure consistency throughout a company.

The most often recommended technology is static code analysis. Besides stopping security flaws at the front line, arming developers with analysis tools will help counterbalance the additional time they spend to develop secure code. Vulnerability scanners are another popular tool used to identify potential security weaknesses.

Test, rinse, repeat

In the past an application that worked and did what it was supposed to do generally satisfied customers. With recent media emphasis on security flaws and data leaks, organizations are facing increased testing requirements for flaws that, in many cases, are difficult to observe. Testing components is one necessary step in the process, and testing pieces together can then bring additional vulnerabilities to light. Luckily, security testing tools have made some incredible advancements in the past few years.

During testing, it’s important to discern why and how the application failed in addition to simply finding points of failure. Keep in mind that you’re developing against an adversary who will likely continue until they find an insecure failure mode for your application and exploit it; vigorous testing is a must.

Monitor security processes

No development project will remain 100% secure all of the time if left to its own devices. Monitoring security compliance through manual or automated processes can stop problems before they get started. Like other security initiatives, monitoring works best when set up before projects start and when standardized throughout an organization.