Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • The Security Leadership Issue
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
ColumnsCybersecurityCyber Tactics ColumnCybersecurity News

The Top 12 Practices of Secure Coding

By Steven Chabinsky
Cyber Tactics Chabinsky Default
The Top 12 Practices of Secure Coding - Cyber Tactics - Security Magazine
Cyber Tactics Chabinsky Default
The Top 12 Practices of Secure Coding - Cyber Tactics - Security Magazine
January 1, 2018

Developing and managing software is no easy feat. Consider that an operating system can contain over 50 million lines of code. To help developers rise to the software security challenge, enter OWASP, the Open Web Application Security Project. Comprised of thousands of super-smart participants collaborating globally, OWASP provides free resources “dedicated to enabling organizations to conceive, develop, acquire, operate and maintain applications that can be trusted.”

It might make good sense then, when evaluating your (or your vendor’s) program, to begin by measuring it against OWASP’s Software Assurance Maturity Model. The below list provides a quick summary of the top 12 security practices to mitigate risks from internal and third-party software. How many boxes does your program check?

 

Governance

  1. Strategy and Metrics: Establish a unified security roadmap, set corporate risk tolerance and align expenses with asset value.
  2. Education and Guidance: Provide role-specific secure software development lifecycle training.
  3. Policy and Compliance: Understand compliance drivers, create compliance gates and collect the right types of data to enable audit.

 

Construction

  1. Threat Assessment: Identify, evaluate and mitigate application-specific threats.
  2. Security Requirements: Specify necessary security controls, including within supplier agreements, and audit those controls.
  3. Secure Architecture: Adopt software development frameworks, identify secure design patterns and embed secure-by-default principles.

 

Verification

  1. Design Review: Assess software design against a comprehensive set of best practices.
  2. Implementation: Integrate automated code analysis tools into development processes, customize code review for language-level risks and for application-specific vulnerabilities.
  3. Security Testing: Require human penetration testing and automate application-specific testing throughout the development process and, significantly, before deployment.

 

Operations

  1. Issue Management: Create a vulnerability response team, implement a security issues disclosure process (consider a bug bounty program), conduct root cause analysis and collect per-issue metrics.
  2. Environment Hardening: Install critical upgrades and patches, monitor configurations, deploy network protection tools.
  3. Operational Enablement: Facilitate communications between development teams and operators, capture critical security information, maintain formal procedures for issuing alerts, create per-release change management procedures and perform code signing.

As is the case in other areas of risk management, secure software development maturity exists on a continuum that includes, on the low end, inconsistent, insufficient and ad hoc procedures and builds, on the high end, to a robust iterative process, integrated within the organization and validated against industry standards. To get started, business managers assessing their organization’s overall enterprise risk might determine whether both their internal software engineers and technology vendors have implemented OWASP or similar processes, and whether they routinely employ competent third-party audits against those guidelines.

Regardless of your organization’s approach, it is wise to consider these words from OWASP: “Security is one of the non-functional requirements that should be built into every serious application or tool that is used for commercial or governmental purposes.” Take it from OWASP, software engineers may speak in code, but software security requirements aren’t a secret.

KEYWORDS: cyber security data breach secure coding

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Chabinsky 2016 200px

Steven Chabinsky is global chair of the Data, Privacy, and Cyber Security practice at White & Case LLP, an international law firm. He previously served as a member of the President’s Commission on Enhancing National Cybersecurity, the General Counsel and Chief Risk Officer of CrowdStrike, and Deputy Assistant Director of the FBI Cyber Division. He can be reached at chabinsky@whitecase.com.

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Top Cybersecurity Leaders
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Columns
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    Cybersecurity Education & Training
    By: Charles Denyer
Subscribe For Free!
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

  • Duty of Care
    Sponsored byAMAROK

    Integrating Technology and Physical Security to Advance Duty of Care

Popular Stories

Internal computer parts

Critical Software Vulnerabilities Rose 37% in 2024

Coding

AI Emerges as the Top Concern for Security Leaders

Half open laptop

“Luigi Was Right”: A Look at the Website Sharing Data on More Than 1,000 Executives

Person working on laptop

Governance in the Age of Citizen Developers and AI

Shopping mall

Victoria’s Secret Security Incident Shuts Down Website

2025 Security Benchmark banner

Events

June 24, 2025

Inside a Modern GSOC: How Anthropic Benchmarks Risk Detection Tools for Speed and Accuracy

For today's security teams, making informed decisions in the first moments of a crisis is critical.

August 27, 2025

Risk Mitigation as a Competitive Edge

In today’s volatile environment, a robust risk management strategy isn’t just a requirement—it’s a foundation for organizational resilience. From cyber threats to climate disruptions, the ability to anticipate, withstand, and adapt to disruption is becoming a hallmark of industry leaders.

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • Cyber Security default

    The Top 10 Cybersecurity Myths, Part 2

    See More
  • Keys to Employee Cybersecurity

    The Top 10 Cybersecurity Myths, Part 1

    See More
  • cyber feat

    The Top Three Cyber Security Leadership Qualities

    See More
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing