You can create effective security activities based on the high ROI engineering activities:
- Security design guidelines
- Security architecture and design review
- Security code review
- Security testing
- Security deployment review
Rather than interspersing security in your existing activities, factor security into its own set of activities. Factoring security into its own workstream of quality control, keeps the activities lean and focused. Because you’re leveraging high ROI activities, you’re increasing the likelihood of influencing the shape of the software at strategic points. You create an engineering system that helps you address security throughout your software development vs. up front or after the fact. Using multiple activities vs. a single big bang effort up front or at the end creates an approach that scales up or down with project complexity and size.
The trick is to not over-invest at any one stage – stay leveraged. Rule out losing strategies early in the analysis but still cast a wide net. Progressively more costly analysis happens later and is much more likely to be on the correct path. Don’t spend a lot on costly late activities until you’ve passed muster on much less costly activities. Start with low cost, high roi activities, learn along the way, iteratively add more time and expense as you better understand what you are doing.
Simply factoring security into its own activities doesn’t produce effective security results. However, factoring security into focused activities does create a way to optimize your security efforts, as well as create a lean framework for improving your engineering as you learn and respond.