Secure Systems Development

Abstract

A secure IT system needs to be a resilient and available IT system. Good security does not usually happen by accident. Secure Systems Development is rooted in good engineering practices. Many security issues that occur can be traced back to problems that could have been avoided at the design and build stages or prevented through good management and effective maintenance engineering. Development starts with understanding what you need to protect and the consequences of that protection failing, an understanding that is formed by thinking about what you have, who could compromise it, why they might want to and how that could happen. The secure IT system affords appropriate security functionality to its users and exhibits the right security characteristics. Secure Systems Development is a responsibility that has to be shared by all those contributing to the systems development lifecycle [9]; some will of course have greater responsibility than others, but all need to recognise that they should be aware of risks, follow good practices and report anything that does not seem right. Whilst much of the security of a system can be attributed to the technologies used and the processes that are in place, ultimately it is the people that make up the teams that build and operate the system who really make the difference. Even the best security products are likely to fail if they are not implemented and operated correctly.