Steve Roatch, president and CEO of Twentyseven Global, was a featured speaker at TechTalk, in Kansas City, this week where four thought leaders in the technology industry presented. Aside from Roatch, Bhu Virdi, senior solutions engineer at ViaWest, Brad Carrell, managing partner at Strategic Telecom and Gordon Braun, managing director at Protiviti, gave presentations that focused on secure software development in the technology industry. The event was hosted at Boulevard Brewing Company located in Kansas City, Mo.
From left: Steve Roatch, Gordon Braun, Brad Carrell and Bhu Virdi
As a thought leader in the custom software and technology industry, Roatch gave insight into the security measures his company takes. “We are seeing an increasing amount of companies’ IT budgets spent on security. Currently, companies spend about 11 percent of their IT budget on addressing security issues.” Roatch went on to cite research that suggests the average time to repair a security breach is 193 days, which is why identifying security processes is so important.
When identifying a security plan for your business, Roatch recommends prioritizing risks according to likelihood and consequence of a breach. The Open Web Application Security Project provides a Top Ten List that is a good place to start this prioritization. However, the items on this list are very broad and secure software development requirements must be narrow and specific. Secure software development starts with clear requirements and continues throughout the software development life cycle, from architecture and design through testing. Roatch introduced Twentyseven Global’s Requirements, Patterns and Validations approach, or RPV, to secure software development. Roatch elaborated, “Requirements define weaknesses and vulnerabilities that must be mitigated. Patterns are architecture, design and coding techniques used to mitigate vulnerabilities. Validations are specific tests used to verify that the vulnerability has been mitigated, or in other words, the requirement has been met.”
Businesses should be specific in their definition of which data and processes present a security risk and work with their IT departments to prioritize the mitigation of these risks. IT departments should consider adding a “RPV” focus to their secure development life cycle as a complement to traditional security measures, such as VPNs, firewalls, antivirus, intrusion detection and penetration tests.