Creating and maintaining secure applications is the topic of many books and articles. It has emerged as an important concern for software developers. Numerous models and frameworks tell you how to write cleaner, more secure code. One of the main reasons the BSIMM model is so valuable is that it reports on what works in the area of secure application development. When considering any new procedure or technology, it is wise to learn from those who have already used it. Learn from other people’s mistakes and adopt strategies that worked. Plan well and you can enjoy a more productive software development environment. The following best practices for developing secure Windows applications represent what many organizations have learned:

• Incorporate security early and often.

• Adopt a software development model to help define your organization’s development activities and flow.

• Define activities for each phase in your model.

• Ensure all developers are trained to develop secure applications. Look for developer training from:

  • SANS—http://www.sans.org

  • SEI—http://www.sei.cmu.edu/

  • OWASP—https://www.owasp.org/index.php/OWASP_Secure_Development_Training

• Validate your software product at the end of every phase.

• Create separate software projects for each related group of programs or program changes.

• Do not begin a software development project by writing code—plan and design first.

• Keep the three SDL core concepts in focus—education, continuous improvement, and accountability.

• Develop tests to ensure each component of your application meets security requirements.

• Study the most common application vulnerabilities and develop programming standards to ensure you don’t include the vulnerabilities in your application.

• Identify and store programs, files, and schema definitions in a centralized, secure repository.

• Control and audit changes to programs, files, and schema definitions.

• Organize versioned programs, files, and schema definitions into versioned components.

• Organize versioned components and subsystems into versioned subsystems.

• Create baselines at project milestones.

• Record and track requests for change.

• Organize and integrate consistent sets of versions using activities.

• Maintain stable and consistent workspaces.

• Ensure reproducibility of software builds.

Using these best practices as guidelines will help your organization develop more secure applications and be more responsive to your customers.