Some of the software companies I have interacted with are now getting really serious about security. They bake security into everything, bring in security architects, build around secure technologies, hire excellent pen-testers and code reviewers etc.; the whole nine yards to transform their SDLC process to a S2DLC process.
The Cut above the Rest; Showcase Security
But the companies that really get it leverage their security initiatives and derive business benefit from it. I think salesforce.com is a sterling example. They have a website dedicated to communicate with their customers on the security of their systems and the processes and certifications they maintain. Companies that get it will leverage and market their security programs and initiatives as a sign of maturity giving prospects a confidence in their solution and even an edge in the prospects mind where most of the battles are really fought. When prospects learn that their software vendors take security more seriously that they themselves do, then confidence in the security of your offering starts residing in the customers mind.
Security Code Reviews: Rises to the Occasion
Security Code Reviews certainly fall in the category of major confidence boosters. Technically speaking they are a great way to catch accidental back doors, malicious back doors and all the vulnerabilities that an application penetration test with the added advantage that your developers now will know exactly where the defective code lies.
Everybody's Happy: Fix Code Faster for Less
Security Code Reviews makes fixing much quicker which application and business owners love. But the flip side always has been the cost of doing these comprehensive code reviews. The costs over the years have come down and today are pretty reasobale and comparable to what you would pay for an application penetration test. Certainly great news for all those application and business owners out there with PCI Compliance, due diligence questionnaires, demanding customer evaluators and aggressive sales guys to deal with.
Attn: Application Owners & Product Managers: Security Code Reviews are costing much less today and can get you an edge in the customers mind.