Gartner Blog Network


Building a Software Assurance Program

by Neil MacDonald  |  September 28, 2010  |  Comments Off

I work with clients daily on how to change their development (and procurement) processes to product more secure code. I wrote in this blog, that application security cannot be solved with technology alone, yet I still run into organizations trying to solve their application security problems with the purchase of a static or dynamic application security testing tool. Based on my client’s experiences, the hardest part of the changes are in people and processes.The good news is there is a growing body of free information to help enterprises to learn what other organizations have done.

Microsoft provides free guidance based on its own internal experiences on its Secure Development Lifecycle website.

IBM provides a similar document based on its development practices – “The IBM Secure Engineering Framework”

and, I’ve written previously on the good work coming out of OWASP and the work done by the Build Security In Maturity Model team.

Technology alone cannot solve what fundamentally is a process problem. Use these resources to learn best practices in building a workable software assurance program that addresses people, process and technology.

Category: application-security  

Tags: application-security  application-security-testing-tools  best-practices  maturity-models  microsoft  

Neil MacDonald
VP & Gartner Fellow
15 years at Gartner
25 years IT industry

Neil MacDonald is a vice president, distinguished analyst and Gartner Fellow in Gartner Research. Mr. MacDonald is a member of Gartner's information security and privacy research team, focusing on operating system and application-level security strategies. Specific research areas include Windows security…Read Full Bio




Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.