"3 Activities for Making Software Secure by Design"
According to Carnegie Mellon University (CMU) Software Engineering Institute (SEI)'s Robert Schiela, technical manager of the Secure Coding group, and Carol Woody, a principal researcher in the SEI's Computer Emergency Response Team (CERT) Division, current efforts to build secure code and implement risk-mitigation security controls are useful but insufficient to address the cybersecurity challenges of modern technology. Functional design and engineering decisions can pose security risks. The longer security is overlooked, the greater the likelihood of costly mitigations, as redesigning may be necessary. Before approving the implementation of a system, security experts could review its design and mandate redesigns. Developers should identify and address vulnerabilities as they create and unit test their code. Creators and suppliers of technology must incorporate security risk management into their standard system design and engineering practices. Software, hardware, firmware, reused components, and services must all be considered when assessing security risk. Security risk considerations must be integrated throughout the lifecycle processes, which requires effective planning and tooling as well as monitoring and measuring. This article continues to discuss making software secure by design.