Secure Software Development

Organisations store sensitive information to a large extent in custom developed applications designed and developed specifically for this purpose. Due to their nature security should be a crucial aspect of these applications and should be included in the software development life cycle.

Challenges

• Due to the rapid changes in the business environment, emphasis is on functionality development, not on security.
• Developing secure software needs special knowledge, tools and methodologies. Developers often lack this expertise.
• Security is often only thought of after breaches and attacks are detected.

Deloitte approach

The Deloitte approach focuses on embedding security in all phases of the development process:

• Analyse the current process against best-practices for secure software development.
• Define an updated process which includes security in all phases of the development: design, implementation, testing and operation.
• Assist the organisation in developing methodologies, templates, test-plans to implement the secure
  software development process.
• Deliver training to personnel involved in software development.
• Enable organisations to ensure that 3^rd party developments meet their requirements by implementing guidelines, assessment methodologies and processes.

Deloitte services

• Periodic training of developers on common security vulnerabilities, developer best practices and testing techniques.
• Definition of explicit security requirements based on relevant risks to the application.
• Measurement methodology on how security requirements were implemented in the application and how they have been tested.
• Definition of test-cases specifically to test the security of the application.
• Periodic security monitoring of the applications and any third party components for vulnerabilities after deployment.

Why Deloitte?

• Readily available methodologies for secure software development, including regulations, guidelines and assessment tools.
• Qualified team not only with deep understanding of security, but with experience in software development and testing.
• Complete service offering with support from design though implementation and testing to operation.