Three Pillars of Software Security

The three pillars of software security are applied risk management, software security touchpoints, and knowledge (see the above illustration). By applying the three pillars in a gradual, evolutionary manner and in equal measure, a reasonable, cost-effective software security program can result.

Software security is an ongoing activity that requires a cultural shift. There is unfortunately no magic tool or just-add-water process that will result in secure software. Software security takes work. That's the bad news. The good news is that any organization that is developing software, no matter what software development methodology it is following (if any!), can make straightforward, positive progress by following the plan laid out in Software Security. Software security naturally borrows heavily from software engineering, programming languages, and security engineering.