Page 1388 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 1388
Introducing Systems Development Controls
Many organizations use custom-developed software to achieve their
unique business objectives. These custom solutions can present great
security vulnerabilities as a result of malicious and/or careless
developers who create backdoors, buffer overflow vulnerabilities, or
other weaknesses that can leave a system open to exploitation by
malicious individuals.
To protect against these vulnerabilities, it’s vital to introduce security
controls into the entire systems development lifecycle. An organized,
methodical process helps ensure that solutions meet functional
requirements as well as security guidelines. The following sections
explore the spectrum of systems development activities with an eye
toward security concerns that should be foremost on the mind of any
information security professional engaged in solutions development.
Software Development
Security should be a consideration at every stage of a system’s
development, including the software development process.
Programmers should strive to build security into every application
they develop, with greater levels of security provided to critical
applications and those that process sensitive information. It’s
extremely important to consider the security implications of a software
development project from the early stages because it’s much easier to
build security into a system than it is to add security to an existing
system.
Programming Languages
As you probably know, software developers use programming
languages to develop software code. You might not know that several
types of languages can be used simultaneously by the same system.
This section takes a brief look at the different types of programming
languages and the security implications of each.
Computers understand binary code. They speak a language of 1s and
