Developing secure software can be a challenge. Regardless of whether you develop or purchase software, you must deploy and maintain it as well. Some general best practices for developing, deploying, and maintaining secure Windows application software are the following:

• Adopt a software development model to help define your organization’s development activities and flow.

• Define activities for each phase in your model.

• Ensure all developers are trained on developing secure applications.

• Validate your software product at the end of every phase.

• Create separate software projects for each related group of programs or program changes.

• Do not begin a software development project by writing code—plan and design first.

• Keep the three Security Development Lifecycle (SDL) core concepts in focus—education, continuous improvement, and accountability.

• Develop tests to ensure each component of your application meets security requirements.

• Study the most common application vulnerabilities and develop programming standards to ensure you don’t include the vulnerabilities in your application.

• Identify and store programs, files, and schema definitions in a centralized, secure repository.

• Control and audit changes to programs, files, and schema definitions.

• Organize versioned programs, files, and schema definitions into versioned components.

• Organize versioned components and subsystems into versioned collections.

• Create baselines at project milestones.

• Record and track requests for change.

• Organize and integrate consistent sets of versions using activities.

• Maintain stable and consistent workspaces.

• Ensure reproducibility of software builds.

Despite your best efforts to secure your applications and operating system, you still may encounter attacks. You have already learned how important it is to have a well-thought-out plan to handle incidents when they do occur. A general list of best practices for handling incidents and investigations includes these steps:

• Harden OS and software to avoid incidents.

• Assess computers periodically to expose vulnerabilities.

• Validate and test all BCPs and DRPs (i.e., carry out scheduled exercises to test and practice plans).

• Get full management support for a computer security incident response team (CSIRT).

• Create a CSIRT.

• Define and assign CSIRT roles.

• Conduct a risk assessment to identify potential incidents that require attention first.

• Develop an incident response plan around the six steps to handling incidents.

• Create an incident reporting form.

• Distribute and publicize the incident reporting form and procedure.

• Test the incident response plan.

• Identify and acquire incident management software.

• Identify and acquire incident investigation software.

• Train key SIRT members on proper evidence collection and handling.