Business vulnerability analysis, architecture security analysis and thread modeling are three key activities generating security demands, basing on which the development team can clearly figure out what shall be noted on security aspect during follow-up development processes. However, the problem is that how to practice them strictly so as to satisfy those security demands during development. After all, knowing the security demands does not mean that the demands will be realized during coding. Code assessment can be conducted for detection and security penetration test can be performed for verification, but these measures are either inefficient or too late in generation, and they cannot guarantee that all security demands can be verified.
Since it is similar to test-driven development, the development team can use security-driven development (SDD), according to which the corresponding automatic security tests are edited based on security demands, before those security tests are used to drive the development of the actual product code. This approach can very clearly drive out the security of the product, and can effectively ensure the correct realization of all security demands. In addition, such security test shall be operated continually in the overall application development process, so that a failure of a security test, once occurred, can be known to the development team for measure taking in time.