Specify security requirements using the developer’s format
Use the developers’ format (user stories, software requirement specifications, story mapping, wireframes, personas, and use cases) to articulate security requirements so that developers can better understand, define, and implement security specifications.
This enables security requirements to be treated as functional requirements in the product backlog, transforming them into tasks (a.k.a. decomposition), incorporating them into requirements management tools and including them in the project’s productivity metrics (such as burndown and velocity).
Conduct threat modeling
Conduct regular threat modeling exercises to understand the security context of the application, to uncover aspects of the design that are not secure, to identify, analyze, and prioritize threats; to discover the most common techniques and methods used to attack the application (spoofing, tampering, denial of services, escalation of privilege), to identify which threats warrant additional security testing and most importantly, to produce strategies and solutions to mitigate each threat proactively.
Employ secure programming techniques
Mandate developers to leverage established secure programming techniques such as pair programming, refactoring, continuous improvement/continuous development (CI/CD), peer review, security iterations and test-driven development.
This improves the non-functional qualities of the application code and helps remove programming defects that allow security vulnerabilities to be exploited. Secure programming techniques are also useful in directing developers who are inexperienced at secure methods, using new technologies like AI or low-code/no-code, developing an aspect of an application that is complex, integrating third-party applications, or meeting compliance requirements.
Perform independent security reviews
Get independent reviewers to perform static code analysis (review source code to analyze errors, bugs, and loopholes in the application code) and dynamic analysis (examine application behavior during execution to identify unusual or unexpected behavior). This provides assurance to stakeholders that the application meets security requirements and does not include any security vulnerabilities.