Building highly secure applications need much more than an after thought Penetration Test and a rare Secure Code Review. Over the past two years the need to integrate security into the SDLC has become larger than ever. There is a growing acceptance & place for security within the application development teams these days. Challenge however has been what, where & how. A key need is to not overdo since it might repel potential adopters.
Recently there have been several resources flooding the Internet on how to meet this challenge. I found several that were over-blown & several that were inadequate. Having said that there were fairly good ones. The one that I liked the most & thought met my perception was the Secure Development Lifecycle from Microsoft.
As seen above it highlights what security practices need to be incorporated and where in an SDLC. As you dig deeper it addresses the how part as well http://msdn.microsoft.com/en-us/security/cc420639.aspx. I personally like OWASP guides for the how part specifically following
- Secure Coding Guide http://www.owasp.org/index.php/Category:OWASP_Guide_Project
- Static Analysis/Code Review http://www.owasp.org/index.php/OWASP_Code_Review_Guide_Table_of_Contents
- Dynamic Analysis/Penetration Test http://www.owasp.org/index.php/Category:OWASP_Testing_Project