- code; they just might never have been trained how to code securely. You have two ways to properly train your developers. The first option is to hire a developer security training firm to train your developers. The second option is to persuade your IS team to come in and do the developer training. Either option will work, so it just comes down to determining which option is more appropriate for your organization.
The steps mentioned above are very broad. But getting your new, expanded team to communicate and use the same defect management system is the first step. The impact of not having a single defect management system to manage security defects alongside functional and performance defects can be extremely large.
No statistics are available for how many company Web sites have been hacked because a vulnerability was identified but never properly tracked and resolved. Yet there's a long list of company Web sites have been hacked for easily preventable security defects. Companies such as Netscape, MySpace, Google, PayPal, Eli Lilly, Victoria's Secret, and Go Daddy are just a few that have been publicly exposed with security vulnerabilities. Don't let your software or Web site be the next on this list.