Software security is an integral part of the software development life cycle (SDLC).
Constraints Security needs to take into account constraints such as budget, time and target architecture.
Example: from a security point of view design methodologies such as SOA
ToolsSecurity development life cycle tools can help establish security requirements, create quality gates, perform risk assessments, model threats and identify common and known vulnerabilities.
Security testing tools can automate tasks such as vulnerability and penetration testing.
TechniquesTechniques such as security design patterns are critical to the process of building secure software.
Common vulnerabilitiesIt is important to consider common security vulnerabilities when designing, developing and testing software.
Known vulnerabilitiesKnown vulnerabilities in components, APIs, servers and algorithms need to be investigated.
Common threatsCommon threats to software such as SQL injection and cross-site scripting need to be considered at each step of the SDLC.
Security Architecture and DesignSecure software development begins with a secure architecture and design. Design faults generally represent more serious vulnerabilities than software bugs.
Security ReviewsAfter code is developed there should be a series of both informal and formal code reviews. Developers can often identify weaknesses in the code that are difficult to discover in testing.
Security TestingIt is possible to automate many black box security tests such as vulnerability scans and penetration tests.
It is important for a security analyst to go further and identify key risks in the software. Test cases should consider the overall architecture and likely vulnerabilities and threats. In other words, security testing should be driven by risk identification.