I work with clients daily on how to change their development (and procurement) processes to product more secure code. I wrote in this blog, that application security cannot be solved with technology alone, yet I still run into organizations trying to solve their application security problems with the purchase of a static or dynamic application security testing tool. Based on my client’s experiences, the hardest part of the changes are in people and processes.The good news is there is a growing body of free information to help enterprises to learn what other organizations have done.
Microsoft provides free guidance based on its own internal experiences on its Secure Development Lifecycle website.
IBM provides a similar document based on its development practices – “The IBM Secure Engineering Framework”
Technology alone cannot solve what fundamentally is a process problem. Use these resources to learn best practices in building a workable software assurance program that addresses people, process and technology.