Security Innovation, a risk assessment consultancy, provides questions you can ask a software vendor about its development processes. The answers you get will tell you just how much effort is put into security. It’s up to you how much risk you want to assume.

1. Do you review security at each phase of the software development lifecycle?

A good answer: Yes, we have integrated reviews into our product development lifecycle, from requirements definition to code development and testing.

Likelihood of getting this answer: Almost zero. Even companies that have created secure development best practices, like Microsoft, have implemented them only on a small portion of their applications.

2. What methodologies do you use for security testing your products?

A good answer: We have adopted methodologies from a respected security consultancy or large software vendor.

Likelihood of getting this answer: Small. Although some methodologies are required reading and have been adopted by companies like Adobe, McAfee and Symantec, a majority of companies have yet to adopt them. Most software development teams don’t consider security testing to be their responsibility.

3. Do third parties conduct security assessments on your products?

A good answer: Yes, we have a pool of application security companies we use to conduct independent assessments on all of our products.

Likelihood of getting this answer: 50 percent. This is up from about 25 percent two years ago. Third-party security assessments are increasingly a mandatory requirement and show up in RFPs and SLAs for packaged and on-demand software.

4. Do you have security squads that attack your products prior to release?

A good answer: Yes, we create an internal red team that acts as malicious users and complements third-party security assessments.

Likelihood of getting this answer: 20 percent. Though red teams are a growing trend, most companies still lack the internal expertise to dedicate staff to testing.

5. Do you use automated tools for security testing or code review?

A good answer: Yes, we use tools from this reputable vendor for code review during development and tools from that reputable vendor for security scanning our Web applications after deployment.

Likelihood of getting this answer: 20 percent. Adoption of automated tools is increasing, but an untrained engineer doesn’t become better because he learns how to use AutoCAD. He finds value in the tool only after he is trained to use it.

6. What training does your development and testing teams receive specific to application security?

A good answer: We have put our entire application development team through security awareness training as well as technical training aimed at each specific role, such as product manager, architect, developer, tester, auditor and others.