Earlier today we announced the winners of our first ever Secure Development Awards. For those that haven't heard of our new awards this quote from our Co-Founder Chris Wysopal sums it up nicely;
"We’ve created this award to recognize developers’ successes in properly implementing security features during the software development lifecycle. Historically, security professionals used scanning and application testing tools to only point out flaws in the development process, but we believe this award will help recognize the positive work that developers are doing and celebrate our customer’s dedication to application security.”
Our three winners are:
We were lucky enough to get representatives from each of our winners to answer some questions about their development efforts.
1. How many developers are on your team and how many applications does the team work on a quarterly basis?
Online Strategies: We have 9 developers; Dave, Andy, Fed, Chill, Allen, Matt, Ron, Martin and Brent working on 9 major projects and also numerous sub projects.
PagosOnline: Currently we have 17 Developers working for the company.
SecureKey: Development team is 100+ people. On average, 3 application suites are being worked on every quarter.
2. Does your internal data show trends of consistently strong application security or improvement in the security of your applications?
Online Strategies: Yes, with our internal security training involving all aspects of secure coding techniques and the Veracode scans, our security awareness and practices have enhanced application security.
PagosOnline: We support a large database of security issues documented during years with all of the flaws found in our applications; we can track them to avoid making the same mistakes again in the code.
SecureKey: It does, and we are leveraging Veracode tools to supply us with this data.
3. How is your development team leveraging Veracode to improve software security?
Online Strategies: Verifying the effect of security training and identifying any area that may need to be a topic during our development meetings.
PagosOnline: We use Veracode in a strict manner to achieve the desired results, with every release we use Veracode to include all of the flaws found in the next release planning.
- Static code scans of code in development environments
- Static code scans of prerelease code
- Dynamic code scans of prerelease code
- Regular dynamic code scans of production code
4. Is there a correlation between your security application quality and the amount and quality of the coffee your team drinks?
Online Strategies: The morning coffee quantity has not changed, but the late night coffee intake has been eliminated, we have gotten two inquiry letters from Folgers regarding our drop in product purchases.
PagosOnline: Actually we don’t have stats about it, I think we are going to start to measure that.
SecureKey: :) Not really, but there is correlation between code quality and consistency of code reviews.
5. What do you envision the most pressing application security need to be for your company and industry in the future?
Online Strategies: Staying up to date with the constant changes and requirements. Our partnership with Veracode helps us ensure that we stay current.
PagosOnline: We already thinking in mobile, future is focusing in mobile, so that should be our immediately security need.
SecureKey: HTML5 security , Dynamic Security reviews of Mobile applications.
Congratulations to all 3 winners on their achievements and a huge thank you to each for participating in our Q&A session!