Hey even the wsj noticed that software security is mission critical (emphasis added)
It’s not much of a secret that a lot of software has security flaws. One reason is that there aren’t any real standards for designing secure software. In fact, the right way to secure programs is rarely discussed at all.
...“For most of the last decade security has taken place in secret,” says Brian Chess, chief scientist at Fortify. Even the most basic security information is usually held close to the vest for fear that bad guys could use it to compromise a system. The lack of transparency serves a purpose, but it comes at the expense of helping other companies improve the security of their software.
When Chess and co-author Gary McGraw studied companies known for taking security seriously they found some practices in common, which became the basis for their model. For example, there’s never even been an accepted best practice for how large a security team should be, says McGraw. The new model recommends one dedicated security person for every 100 software developers a company keeps on staff.
The model breaks security down into 12 categories, including training, reviewing the code, and testing software after it’s written. Each category contains a list of activities that can help make a company’s software more secure, such as basing training sessions on security incidents that previously happened at a company and not theoretical ones. It’s aimed at the heads of information-technology departments, and will be available for free online.