Producing secure software applications is a serious challenge for all software developers. In order to create a framework for software security, the IEEE (Institute of Electrical and Electronic Engineers) flagged security as a software development life cycle requirement when it approved the IEEE P1074 Standard for Developing Project Life Cycle Processes. This revised standard proposed that project managers should be responsible for security throughout the life cycle of the software rather than making only the end development group responsible for the project's security. This was a radical change from the way software companies typically handled software security.
IEEE P1074 is one of only a few international standards that addresses software and system life cycle management. The standard allows companies to build security levels directly into the software products they are creating. The key philosophy behind IEEE P1074 is that it makes business sense to spend money and apply resources today only if the project is designed with the security necessary to protect private customer data and keep the software secure.
Security experts admit that even though IEEE P1074 is currently not the driving force motivating companies to add security to their software development projects, the standard compels companies to place security into a business context. It also helps companies plan for security objectives at the start of the project. In addition, the standard provides a method for validating achievements at the end of the project.
"The problem with the IEEE standards is that they are pretty much germane," says Dale Liu author, editor and a speaker on technology and technology security. "There are not a lot of teeth in the standards. No one knows how many companies are following P1074 right now. The IEEE is a standards organization, and most of the statements that are issued from the IEEE come out as recommendations. Whether you are following them or not is up to you."
As Brian Chess, chief scientist and founder of Fortify, a California company that helps people build secure software by eliminating defects in their code, says: "Software is a little like the artistic painting medium. Telling painters they have to follow a certain set of rules isn't always going to be accepted. Yes, companies are concerned about software security, and companies are investigating software security practices, but you can't dictate to a company here are the set of steps you must follow. Few discussions with clients about the implementation of P1074 rarely come up, and I don't know who is following these standards. These standards are not affecting the software development process, because from my perspective-- they're not being followed. A good security standard must be flexible but have enough rigidity to it to have it be meaningful. The security must fit into the software world the business inhabits."
