The Ten Best Practices for

Secure Software Development

Mano Paul, CSSLP, CISSP, AMBCI, MCAD, MCSD, Network+, ECSA

Introduction
Building secure software is the responsibility of all the stakeholders
“In the 80’s we wired the world with
involved with the software development lifecycle (SDLC). While
the security of software can be attributed to the technologies cables and in the 90’s we wired the world
chosen or processes followed, eventual accountability is ascribed with computer networks.Today we are
to the people building it. Inherently secure technologies are wiring the world with applications (software).
limited and in cases when chosen, the likelihood that they are
implemented securely is isolated. Many times, the processes
Having a skilled professional capable of designing,
that are in place to aid in the security of software end up being developing and deploying secure software is
circumvented, victims of the iron triangle of project scope, now critical to this evolving world.”
schedule, and budget.
Mark Curphey,
(ISC)2®’s mantras, “It’s the People” and “Security Transcends Director & Product Unit Manager, Microsoft Corporation,
Technology” best epitomizes the fact, that the “people” Founder of Open Web Application Security Project (OWASP)
component of security is crucial in building secure software.
(ISC)2’s whitepapers, The Need for Secure Software, Software
Assurance: A Kaleidoscope of Perspectives, and Software Security: a secure software lifecycle professional should follow to build
Being Secure in an Insecure World, address the “Why”, “What” secure, hack-resilient, and compliant software.
and “How-Tos” of designing, developing, and deploying secure
software. This whitepaper focuses on the human element –
the “Who” and will center around “The Ten Best Practices” that The Ten Best Practices
Software development involves many stakeholders, as depicted in
Figure 1a. They can range from the analyst (business/requirements),
Figure 1. Stakeholders in the SDLC to architects, coders, testers, and operations personnel. Development
can also include management (product/project/personnel), and
in some cases even executive-level management. Additionally
Top Management
Auditors Business Unit Heads included may be members from the security and audit teams.

Client Side PM IT Manager 

Industry Group Requirements

Delivery Heads Security Specialists

Business Analysts Application Owners

Developers/Coders
Quality Assurance 24
Managers hours
Technical Project Managers/
Architects Team Leads

www.isc2.org
A secure software lifecycle professional (SSLP) is any stakeholder Security is a never-ending challenge. As the cybercriminals evolve,
who is responsible for building software with the goal of ensuring so must the defenders. It’s the defenders and their organizations
that the software built is not susceptible to security breaches. that need to stay a step ahead of cybercriminals or else they will
It must be understood that no software is 100% secure. However, be held responsible for security breaches. Breaches leading to
software can be designed, developed, and deployed with a secure critical situations such as disclosure of customer information, denial
mindset, factoring in necessary security controls that minimize the of service, and threats to the continuity of business operations
likelihood of exposure and the impact if exploited. The following can have dire financial consequences. Yet the real cost to the
practices can help fulfill the SSLP’s mission of building hack- organization will be the loss of customer trust and confidence in the
resilient software. organization’s brand. Such a loss may be irreparable and impossible
to quantify in mere monetary terms. Etched in the forefront of
the mind of any SSLP must be the need to protect the brand,
customers trust. Fundamentally, the recognition that the organization
The Ten Best Practices is obligated to protect the customers should powerfully motivate
the organization in creating more secure software.
As a SSLP, you must protect the brand your customers trust.
1. Protect the Brand Your Customers Trust

2. Know Your Business and Support it with Best Practice #2: Know Your Business and Support
Secure Solutions
it with Secure Solutions
3. Understand the Technology of the Most skilled security professionals agree that, along with a strong
Software background in technology, a thorough understanding of the
4. Ensure Compliance to Governance, business is of paramount importance when it comes to creating
Regulations, and Privacy secure solutions for that business. Though some purist security
technologists may find it difficult to accept, it is nevertheless
5. Know the Basic Tenets of Software true that security is there for the business and not the other
Security way around. Security exists to enable the business, not to be
an impediment. The answer to the question, “Why were brakes
6. Ensure the Protection of Sensitive
Information invented?” could be answered in two ways: to prevent the vehicle
from an accident, or to allow the vehicle to go faster. Security
7. Design Software with Secure Features is similar; it can prevent the business from a crash, or allow the
business to go faster.
8. Develop Software with Secure Features
For a SSLP, understanding the business can help in the
9. Deploy Software with Secure Features identification of regulatory and compliance requirements,
applicable risk, architectures to be used, technical controls to
10. Educate Yourself and Others on How to be incorporated, and the users to be trained or educated. For
Build Secure Software
example, an internet banking organization will need to deal with
regulatory requirements such as financial privacy, safeguards, and
pretexting rulesc as part of its compliance with the Gramm Leach
Bliley Act (GLBA). The organization will have to address the risk of
Best Practice #1: Protect the Brand Your disclosure of personally identifiable and financial information, the
Customers Trust need to have multi-factor authentication architecture, encryption,
authentication, authorization, and auditing controls, as well as the
The Harvard Business Review special publication, “Breakthrough
need to educate employees on social engineering and phishing.
Ideas for 2008,”b listed “Cybercrime Service Economy” as one
A retail merchant may need to comply with the Payment Card
of the top 20 transformations of the business world. Scott
Industry Data Security Standard (PCI DSS) depending on how
Berinato, Executive editor of CSO magazine, who contributed to
they handle credit card transactions.
the publication, asserts that the new breed of hackers don’t just
cause interruptions to a business, but threaten it by undermining As a SSLP, you must know your business and support it with
commercial confidence and customer trust. His conclusion is secure solutions.
noteworthy; in the event of cybercrimes, victims will look for
someone to be held responsible, and it will not be the hackers
but the brands that the victims trusted to protect them.

www.isc2.org
Best Practice #3: Understand the Technology
of the Software “Compliance is often thought of as a finish
Not only is it critical to know the business, but one must have line for an organization’s security.  That’s the
a strong background in technology to be effective in building
or buying secure software. A lack of understanding of the
wrong mindset.  Validation to compliance is merely
technology used to build or buy software can lead to insecure a snapshot in time illustrating the current state
implementations of the software. of security against set criteria.  Compliance should
When it comes to building the software in-house, a thorough be considered as organic as an organization’s
understanding of the existing infrastructural components, such as business model.  Even more so as the threat
network segregation, hardened hosts, and public key infrastructure,
is necessary to ensure that the deployment of the software will, landscape continually evolves alongside
first, be operationally functional and, second, not weaken the advancements in technology.”
security of the existing environment. In other words, understanding Troy Leach, CISSP, CISA
the interplay of your current technological components with the Technical Director,
software you build and/or deploy will help determine the impact PCI Security Standards Council
on overall security. Further, understanding the technology used in
building software can help towards making decisions that favor
security. As an example, knowing that managed code (.Net and
Java) have less likelihood of memory corruption and thus are less Best Practice #5: Know the Basic Tenets of
susceptible to overflow attacks than unmanaged code (C/C++), Software Security
would help in choosing newer-generation managed code as part
When it comes to secure software, there are some tenets
of the coding standard to develop software.
with which the SSLP must be familiar. These basic tenets are:
With software procurement, it is vital to recognize that vendor protection from disclosure (confidentiality); protection from
claims regarding the ‘security’ features need to be scrutinized and alteration (integrity); protection from destruction (availability);
verified for implementation feasibility within your organization. who is making the request (authentication); what rights and
The mere presence of security features in a product does not privileges does the requestor have (authorization); the ability
necessarily mean that the product is secure. The appropriate to build historical evidence (auditing); and the management of
and correct implementation of the security features is what configuration, sessions, and exceptions. Knowledge of these basic
helps make a product secure. tenets, and how they can be implemented in software, is of vital
As a SSLP, it’s critical to understand the technology of the software. importance for the SSLP.
Some mechanisms that can be implemented to support these
tenets are described below. Encryption, for example, can serve
Best Practice #4: Ensure Compliance to
as a confidentiality control, while hashing can serve as both a
Governance, Regulations, and Privacy
confidentiality control and integrity control. Encryption uses
In this day and age, an industry that is not regulated is more the algorithms to convert humanly-readable information (plaintext)
exception than the norm as opposed to just a few years ago into non-readable cryptic (ciphertext) form. Decryption is
when the industry that was regulated was the exception. the process of converting the ciphertext back into plaintext.
The increase in regulatory and privacy requirements imposes Encryption and decryption require a key that is held secretly to
a serious burden on organizations. Governance, Risk, and perform their operations.
Compliance (GRC) is not just an industry buzz phrase, but a
Encryption algorithms can be either symmetric or asymmetric.
reality and a means toward meeting regulatory and privacy
Symmetric algorithms use the same key to encrypt and decrypt
requirements. As a SSLP, one must understand the internal
and while this may be fast, the number of keys required to manage
and external policies that govern the business, its mapping
communication between parties can become cumbersome very
to necessary security controls, the residual risk from post
quickly and make key management a challenge. Asymmetric
implementation of security controls in the software, and the
algorithms use different keys for encryption and decryption, also
evergreen aspects of compliance to regulations and privacy
known as a public-private key pair. Certificates are used to share
requirements.
the public key and the existence of a public key infrastructure is
As a SSLP, you must ensure governance, risk, and compliance necessary. This is a lot slower than symmetric algorithms but key
to regulations and privacy. distribution and management is simplified.

www.isc2.org
Hashing on the other hand uses mathematical functions that Best Practice #6: Ensure the Protection of
are one-way. The difference between encryption and hashing is Sensitive Information
that with encryption, the original value can be re-factored; with In addition to ensuring that the brand your customers trust is
hashing, this is not possible. Any value passed in is rehashed with protected, it is essential that any sensitive information be protected
the same function and then compared for validity. Hashing is more as well. Sensitive information refers to any information upon which
an integrity measure to detect tampering of data or files, but can the organization places a measurable value. By implication, this is
be used for protecting sensitive information like passwords when information that is not in the public domain and would result in loss,
stored and used for authentication. damage, or even business collapse should the information be lost,
Proper load-balancing and load-monitoring functionality in your stolen, corrupted, or in any way compromised. Sensitive information
software can protect against destruction or denial of service, and may be personal, health, financial, or any other information that can
ensure availability. Password, token, or biometric means to identify affect the competitive edge of your organization.
and validate one’s credentials are examples of authentication While it is easy to identify the sensitivity of certain data elements
mechanisms, while role-based access control that the software such as, health records or credit card information, other elements
checks is an example of authorization control. Secure software may not be that evident. Determination of what is sensitive
must also log and record all administrative, critical, and key and what is not can be accomplished by undertaking a data
business transactions so that a historical audit trail can be built classification exercise, with the business stakeholders involved in
when necessary. Configuration information must be treated as this process. Software that either transports, processes, or stores
sensitive information and protected. Sessions should be unique sensitive information must build in necessary security controls to
to prevent any replay or hijacking attacks, and generic and laconic protect this information.
exception messages must be explicitly specified to prevent
disclosure of too much information. A SSLP must be familiar with data classification and protection
mechanisms against disclosure. Data classification is the conscious
As a SSLP, it’s critical to know the basic tenets of software security. decision to assign a level of sensitivity to data as it is being created,
amended, stored, transmitted, or enhanced. The classification of
the data should then determine the extent to which the data
needs to be controlled/secured. Figure 2 depicts an example of
a flowchart that can be used to classify information.
As a SSLP, you have to ensure the protection of sensitive information.

Figure 2. Example of a data classification flowchart

Data

Yes Minimal/No Yes Minimal/No Yes

Is Publicly Impact on
Disclosed? Public Damage on Low Support
Alteration Destruction

No No No

Is Disclosed Yes Significant Yes Significant Yes

by Roles? Confidential Damage on Medium Impact on Essential
Alteration Destruction

No No No

Is Disclosed Yes Critical Yes Critical Yes

by Restricted Restricted Damage on High Impact on Critical
Roles? Alteration Destruction

Confidentiality Integrity Availability

www.isc2.org
Best Practice #7: Design Software with In addition to understanding how to threat model software,
Secure Features a SSLP must be aware of how to implement secure design
The MSDN article on “Lessons Learned from Five Years of Building principles. The well-acclaimed paper “The Protection of
More Secure Software,”d under the heading “It’s not just the code,” Information in Computer Systems”e by Saltzer and Schroeder
highlights that many software security vulnerabilities are not coding lists some very sound design principles, as shown in Table 1.
issues at all but design issues. When one is exclusively focused As a SSLP, you must design software with secure features.
on finding security issues in code, that person runs the risk of
missing out on entire classes of vulnerabilities. Security issues in
design and semantic flaws (ones that are not syntactic or code Best Practice #8: Develop Software with
related), such as business logic flaws, cannot be detected in code Secure Features
and need to be inspected by performing threat models and abuse Designing for security in software is futile unless you plan to act
cases modeling during the design stage of the SDLC. on the design and incorporate necessary secure controls during
Threat modeling is an iterative-structured technique used the development stage of your software development lifecycle.
to identify the threats to the software being built. It starts by It is imperative that secure features are not ignored when design
identifying the security objectives of the software and profiles it. artifacts are converted into syntax constructs that a compiler or
It breaks the software into physical and logical constructs interpreter can understand. Writing secure code is no different
generating the software context that includes data flow diagrams, than writing code that is usable, reliable, or scalable.
and end-to-end deployment scenarios, identifying entry and exit
points, protocols, components, identities, and services.
“Security is just another attribute of software
Attack surface analysis is a subset of threat modeling and can
be performed when generating the software context in which
like usability, performance, reliability, scalability.
sections of the software exposed to un-trusted users is analyzed The idea of incorporating security into the
for security issues. Once the software context is generated, SDLC begins with evaluating the relative
pertinent threats and vulnerabilities can be identified.
importance of this attribute and then going on
Threat Modeling is performed during the design stage so that
to incorporating controls in line with that.”
necessary security controls (safeguards) can be developed
during the development phase of the software. Tallah Mir
Sr. Program Manager
Microsoft

Table 1. Adapted from the Saltzer & Schroeder Protection of Information in Computer Systems

Design Principle What is it? Example

Modular code, Shared objects, and
Economy of mechanism Keeping the design simple and less complex Centralized services

Fail-safe defaults Access denied by default and granted explicitly Denied transaction
Checking permission each time subject requests
Complete mediation access to objects Credentials not cached

Open design Design is not a secret, implementation of safeguard is Cryptographic algorithms

Separation of privilege More than one condition is required to complete a task Split keys, Compartmentalized functions

Non-administrative accounts,
Least privilege Rights are minimum and users granted access explicitly Need to know
Common mechanisms to more than one user/
Least common mechanisms process/role is not shared Role based dynamic libraries and functions

Security protection mechanism unbeknownst to

Psychological acceptability Help dialogs, Visually appealing icons
the end user for ease of use and acceptance
5

www.isc2.org
Controls, which address the basic tenets of software security, retrofitting it into the development environment. The latest
must be validated through security code reviews and security version in the development environment does not have the fix
testing. It is recommended that security code review be and the issue reappears in subsequent versions of the software.
performed while the code is reviewed for functionality, and before To deploy secure software, it is also recommended that software
the software is released for testing. Security code reviews can be undergo vulnerability assessment and penetration testing in a
manual or automated. Code review tools are not a panacea and pre-production environment and, if need be, in the production
can assist only to a certain degree to identify sections of code that environment with tight control. This will help make evident the
need attention. To keep the false positive and false negative rate potential issues that may be uncovered by an attacker, and gives
to a minimum, tools often miss certain vulnerabilities. Therefore, the software development team insight into the weak areas of
automated code review should never be undertaken in lieu the software.
of human (manual) reviews. Definition of the scope of what is
being reviewed, the extent of the review, coding standards, Secure deployment ensures that the software is functionally
secure coding requirements, code review process with roles operational and secure at the same time. It means that software
and responsibilities, and enforcement mechanisms, must be is deployed with defense-in-depth, and attack surface area is
pre-defined for a security code review to be effective. not increased by improper release, change, or configuration
management. It also means that assessment from an attacker’s
Security testing should complement existing functionality testing. point of view is conducted prior to or immediately upon
At a bare minimum, tests for common software vulnerabilities, deployment. Secure design and development of software must
such as overflow and injection flaws, and testing the behavior of be augmented with secure deployment.
software to unexpected and random input formats (fuzz testing)
should be conducted in testing environments that emulate the As a SSLP, you must deploy software with secure features.
configuration of the production environment. Other tests for
stress and performance need to be conducted as well, as they Best Practice #10: Educate Yourself and Others on
directly relate to the “availability” tenet of security. A SSLP should How to Build Secure Software
not only ensure that the code written is secure, but also know
how to write secure code, conduct, perform, and orchestrate The need to design, develop, and deploy more secure software
code reviews and security testing. is evident from the security incidents prevalent in the industry,
and the plethora of regulations and privacy requirements one
As a SSLP, you must develop software with secure features. needs to comply with. The modus operandi of software today is
the infamous release-and-patch cycle.
Best Practice #9: Deploy Software with To combat this vicious cycle of release-and-patch, there is a
Secure Features need for a change – to create a culture that factors in software
Most software development teams would agree that, often, security from the very beginning by default. Creating a security
software that works without any issues in development and test culture can be accomplished through education. The National
environments will start experiencing hiccups when deployed/ Institute of Standards and Technology (NIST) states that education
released into a more hardened production environment. Post should cause a change in attitudes, which in turn will change
mortem analyses in a majority of these cases reveal that the the organizational culture. In essence, this cultural change is the
development and test environments do not properly simulate realization that IT security is critical because a security failure has
the production environment. Fundamentally, this is a configuration potentially adverse consequences for everyone and, therefore,
management issue. Changes made to the production environment IT security is everyone’s job.f Even the most expensive security
should be retrofitted to the development and test environments measures can be thwarted by people, and educating people about
through proper change management processes. software security is of paramount importance.

Another related issue is release management of software which Not only must one be educated, but they must also be willing to
should include proper source code control and versioning. share their knowledge. As Charles Dickens once wrote, “Change
A phenomenon that one might refer to as “regenerative bugs” is begets change.” When one who is educated in turn educates
often observed when it comes to improper release-management others, there will be a compound effect towards creating the
processes. Regenerative bugs are fixed software defects that much-needed security culture.
reappear in subsequent releases of the software. This happens As a SSLP, it’s important to educate yourself and others on how to
when the software coding defect (bug) is detected in the testing build secure software.
environment (such as user-acceptance testing) and the fix is made
in that test environment and promoted to production, without

www.isc2.org
Conclusion About the Author
The McKinsey report, “The War for Talent,” released in 1998
g
Mano Paul, CSSLP, CISSP, AMBCI, MCAD, MCSD, Network+,
predicted that the most important corporate resource over the ECSA is CEO and President of Express Certifications and
next 20 years would be talent. It’s been a decade since the report SecuRisk Solutions, companies specializing in professional training,
was published, and when it comes to software security talent, this certification, security products and security consulting. His security
prediction could not have been any more accurate. Advancement experience includes designing and developing software security
in security technologies and improvements in processes, such as programs from Compliance-to-Coding, application security risk
the secure development lifecycle and trustworthy computing, management, security strategy and management, and conducting
has accelerated. People without proper knowledge of software security awareness sessions, training, and other educational
security can circumvent even the most carefully thought-out activities. He is currently authoring the Official (ISC)2 Guide to
security implementations. the CSSLP, is a contributing author for the Information Security
The importance of educating people and creating a culture that Management Handbook, writes periodically for Certification,
views software security as second nature is crucial. The newest Software Development and Security magazines and has
certification from (ISC)²®, the Certified Secure Software Lifecycle contributed to several security topics for the Microsoft Solutions
Professional (CSSLPCM), is a step in that direction. Covering areas Developer Network. He has been featured in various domestic
that ensure security is considered throughout the entire software and international security conferences and is an invited speaker
lifecycle, the CSSLP is created around the specific need for and panelist in the CSI (Computer Security Institute), Catalyst
building security in the software lifecycle. (Burton Group), TRISC (Texas Regional Infrastructure Security
Conference), SC World Congress, and the OWASP (Open Web
Software development involves various stakeholders. Those tasked Application Security Project) application security conferences.
to build software securely must follow certain directives. These He can be reached at mano.paul@expresscertifications.com
“Ten Best Practices for a Secure Software Lifecycle Professional” or mano.paul@securisksolutions.com.
when followed will ensure that the SSLP build secure, hack-
resilient, and compliant software.

a Frost & Sullivan (ISC)2 Software Assurance Credential (SwAC) Study.

People without proper knowledge of software b Harvard Business Review - Breakthrough Ideas for 2008.
security can circumvent even the most carefully http://thelist.hbr.org
c The Gramm-Leach Bliley Act.
thought-out security implementations. http://www.ftc.gov/privacy/privacyinitiatives/glbact.html
d L essons Learned From Five Years of Building More Secure Software.
http://msdn.microsoft.com/en-us/magazine/cc16330.aspx
About (ISC)²® e S altzer, J.H. and Schroeder, M.D., The Protection of Information in Computer Systems.
http://web.mit.edu/Saltzer/www/publications/protection/
The International Information Systems Security Certification
f N
 IST Special Publication 800-16; Information Technology Security Training Requirements:
Consortium, Inc. [(ISC)2®] is the globally recognized Gold Standard A Role- and Performance-Based Model.
for certifying information security professionals. Founded in http://csrc.nist.gov/publications/nistpubs/800-16/800-16.pdf
1989, (ISC)² has now certified over 60,000 information security g The War for Talent, McKinsey
http://www.mckinseyquarterly.com/The_war_for_talent_305
professionals in more than 130 countries. Based in Palm Harbor,
Florida, USA, with offices in Washington, D.C., London, Hong
Kong and Tokyo, (ISC)2 issues the Certified Information Systems
Security Professional (CISSP®) and related concentrations,
Certified Secure Software Lifecycle Professional (CSSLPCM),
Certification and Accreditation Professional (CAP®), and Systems
Security Certified Practitioner (SSCP®) credentials to those
meeting necessary competency requirements. (ISC)² CISSP and
related concentrations, CAP, and the SSCP certifications are
among the first information technology credentials to meet the
stringent requirements of ANSI/ISO/IEC Standard 17024, a global
benchmark for assessing and certifying personnel. (ISC)² also
offers a continuing professional education program, a portfolio
of education products and services based upon (ISC)2’s CBK®, a
compendium of information security topics, and is responsible for
the (ISC)² Global Information Security Workforce Study. More
information is available at www.isc2.org.
7

www.isc2.org