Telecom Italia expects to reduce the cost of maintaining its business applications by a factor of 10 after introducing secure coding techniques.
The company has rolled out a set of guidelines and checklists for each programming language and is using a static source code analyser (SCA) to identify potentially exploitable vulnerabilities early in development.
"We had to invest in training our developers and software tools for reviewing all code, but the return on investment was clear," Marco Bavazzano, CISO at Telecom Italia, told Computer Weekly.
Telecom Italia adopted the approach at the start of 2008 after evaluating the potential risks to the business of software vulnerabilities.
It calculated that the cost of fixing business applications already in use was roughly 10 times greater than the cost of switching to a secure development method.
"Losses in productivity could be extremely costly if any business applications were unavailable because of a security incident," said Bavazzano.
Telecom Italia spent most of 2007 introducing secure coding practices for its business application developers.
"Security is now an important part of every stage of development, including planning, design, coding and pre-deployment testing," said Bavazzano.
Telecom Italia chose a code analyser from Fortify Software because it was able to identify more potential vulnerabilities in a wider number of programming languages than 15 competing products, said Bavazzano.
Task managers and project managers within the software development department monitor the code and refer it back to developers if it fails to meet security standards.
In pre-deployment testing, security managers use a dynamic real time analysis (RTA) tool to assess the potential vulnerability of the application in a live environment.
The same tool is used to monitor applications once they are deployed in the organisation for fine-tuning the protection, said Bavazzano.
Now that Telecom Italia has established a secure coding method for all new applications, the company is reviewing all existing applications to identify and fix any vulnerabilities.
According to the US National Institute of Standards and Technology (NIST), 92% of security vulnerabilities are in software, and Gartner estimates these flaws cause 75% of security breaches.