Considerations of code writing include purchase of software, software compatibility, software standards, software quality, software testing, and software training (both for developers and users). To be secure, software must be written to set specifications, checked, and tested properly.
Off the Shelf Software Considerations
What operating system will be used?
Will the operating system support other software required whether purchased or developed?
What off the shelf software products will be used?
Is all purchased software legally licensed?
If a vendor is providing software, is all software provided by the vendor legally licensed?
Custom Software Requirements
What code must be written?
How much code is required?
What functionality must custom code provide?
Some software standards are listed here. Developers should be trained and understand required coding standards. They should also be able to spot flaws in code.
Are coding standards understood and enforced?
Are code checks done according to the Software Standards Specification?
Does code always check user input according to the Software Standards Specification?
Does code always check output to protect against harmful content according to the Software Standards Specification?
Are cookies used to store sensitive data?
Are the DOMAIN and PATH attributes used to restrict cookie access and prevent cross site scripting attacks?
Does the software check errors so unpredicted behavior does not occur when file access fails, registry access fails, database access fails, library file access fails or other failures occur according to the Software Standards Specification?
Are stored procedures used for database access?
Is code well modularized so related program functions are grouped together?
Is use of global data limited?
Is code documented according to the Software Standards Specification?
Does a code test plan exist?
Is unit testing performed during development?
Is testing against SQL injection attacks and buffer overflow attacks performed? Is the code tested to see what it does if it can't connect to the database, configuration files, or other required files?
Is time allowed for user acceptance testing and do users test and approve system tests before operation?