CHAPTER 9
Secure Development Methodologies
Baking security in
The holistic approach to application security
Industry standard secure development methodologies and maturity models
Until now, this book has been focused on explaining principles of web application security, with a good dose of vulnerability and exploit examples added in so that you can really appreciate the potential dangers involved. We hope you’ve learned some new things—and we hope you can still sleep at night—but one big question remains: how do you fix all of these problems?
On a case-by-case basis, most (although definitely not all) web application security vulnerabilities are simple enough to fix. But playing Whac-a-Mole with vulnerability remediation—find a vuln, fix a vuln; find a vuln, fix a vuln—is a terrible solution. In this chapter, we’ll look at much better, more proactive security-oriented development practices. Instead of trying to “brush security on” at the end of the development process, you’ll learn how to “bake security in” from the very beginning. And while you might be concerned that this will slow you down, or cost too much in time or money, we’ll show some data that proves exactly the opposite: by addressing security issues at the start, you’ll actually save yourself time and money.