by Neil MacDonald | September 28, 2010 | Comments Off
I work with clients daily on how to change their development (and procurement) processes to product more secure code. I wrote in this blog, that application security cannot be solved with technology alone, yet I still run into organizations trying to solve their application security problems with the purchase of a static or dynamic application security testing tool. Based on my client’s experiences, the hardest part of the changes are in people and processes.The good news is there is a growing body of free information to help enterprises to learn what other organizations have done.
Microsoft provides free guidance based on its own internal experiences on its Secure Development Lifecycle website.
IBM provides a similar document based on its development practices – “The IBM Secure Engineering Framework”
Technology alone cannot solve what fundamentally is a process problem. Use these resources to learn best practices in building a workable software assurance program that addresses people, process and technology.
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.