Security testing is one of the top issues in the media at the moment.

Security testing will definitely support companies in delivering less error prone and vulnerable software to their customers. It is an old truth that the cost to fix an error after rollout is considerably higher than before. But when it comes to security relevant vulnerabilities, errors can have catastrophic effects on a company.

In my opinion, standalone security testing wil not lead to more secure software in the long-term. Security should be built into the entire development process from requirements specification to user acceptance test, with verification and validation in each step. And it is very important to make it crystal clear to the customer that security comes at a price.

Security by design is the means by which less vulnerable software products could be delivered.

In particular the coding phase is critical for the vulnerability of a product. To create less vulnerable software, developers have to unlearn old programming habits, and to acquire the well known best practice for developing secure products. To ensure success, this transformation process should be embedded in a change process.

Drive the change!