I've written a bit on how important a Security Development Lifecycle is to creating secure software. Without an SDL, software is designed for functionality first, and then security is "bolted on" at the end of the development process. This can lead to software with more security bugs then you'd care to think about. With an SDL, those bugs never find their way into the software, because the SDL process forces security issues to be considered from the initial inception of the software to the final code release. For any software purchase you make, you need to ask the vendor how they implement an SDL in their own software development process. If they can't provide you this information, then you should reconsider the software purchase and look to a vendor that can provide you details of their SDL.
But what if you're a software development house and you don't have the knowledge or the talent in house to implement an effective SDL? There are a lot of options, but one of the best is to bring in some experts who can perform fast and effective knowledge transfer to bring your developers and project managers up to speed. Which experts should you choose? I think that you can't do much better than the Microsoft ACE Team. The Microsoft Application Consulting and Engineering Team can do code reviews and train your staff in secure application development. I've had the chance to work with this team and they are top notch secure application development professionals.
For more information about Microsoft ACE, check out their blog at:
Thomas W Shinder, M.D., MCSE
Microsoft Security Architect / Technical Writer
Prowess Consulting www.prowessconsulting.com
PROWESS CONSULTING documentation | integration | virtualization
MVP - Forefront Edge Security (ISA/TMG/UAG)