How to develop and deliver secure software
By: Kaushik Bagchi, Vice President Information Management Asia Pacific, ASG Technologies
Data and application security is a high priority for businesses due to the growing risks posed by theft and increasing government mandates to maintain and secure private information. One need not look any further than Singapore’s largest group of hospitals Singhealth, and its massive data breach last year, for an example of the various risks organizations need to address to protect customer information. Singaporean banks were also top targets of the Tinba v3 Trojan cybercriminals in 2015-2016, accounting for over a third (36%) of attacks, according to BMI Research. Regardless of the industry, any companies collecting valuable data on its customers are vulnerable to cyber attacks.
Organizations need to be committed to securing all external IT to protect data from breaches – and the business from the consequences of regulatory non-compliance. Issues such as the 2017 WannaCry attack that was found to have affected machines running an older version of the Windows operating system shows how hundreds of thousands of global systems can be compromised by unsecured software. This effort to secure data includes using commercial software (managed on-premises or in the cloud) that is delivered with no known vulnerabilities and continually tested and updated to address new threats as they are identified.
For the developers, it’s imperative to meet the challenge of providing secure software customers need to fuel security initiatives and prevent data loss. The Singapore Airlines data breach earlier this year triggered by a bug that surfaced after the company made changes to its website underscores this point. The key to meeting this need is to implement a development lifecycle that assesses risks, models threats and solutions through design reviews, and tests software security in static and dynamic situations. These development processes should also be kept up to date by taking the following steps:
- Adopting agile techniques
- Implementing collaborative development tools
- Moving to standardized techniques such as the RESTful API
- Adopting common accessible user experience models
- Developing and reusing common components
Software developers should also be considering adopting a secure systems development lifecycle (SDLC), which treats security as a core part of software development, rather than an afterthought. An automated process such as an SDLC ensures that security processes cannot be bypassed while products are built, making it more likely to identify flaws before the product is released.
Setting the Standard for Software Security
There is no advantage in cutting corners. Developers need to adopt best-of-breed software test tools and methods to confirm that new software releases meet the security standards customers need. A process to ensure this happens should include the following:
- A highly-trained and knowledgeable development community. Teams can be structured to include a designated Security Task Force comprised of individuals from various parts of the organization (e.g., Dev and Quality Assurance) to mentor and ensure security guidelines are followed. This task force can also collaborate with the broader security team to perform threat modelling exercises on each release.
- Identification and scanning of all third-party code, for security vulnerabilities. Many software breaches happen when organisations use third-party codes that are common to many products but that also carry flaws. To eliminate this possible threat, code repositories should be scanned to identify libraries that are either severely outdated, have conflicting licensing terms or have security flaws identified by the community. Products should not be released if any of these conditions are identified.
- Automatic scanning of the organisation’s source code to identify incorrect security practices and alert the developers. The organization and its developers benefit by increasing knowledge of secure development best practices and by fixing potential security threats in the future. Companies should consider taking this step when new code is committed (real-time security) and when products are automatically built to provide rapid feedback and correction.
- Execution of an automated Quality Assurance cycle to search for security flaws. During this essential phase, all product transactions can be monitored and analysed for issues.
- Intensive penetrative testing from the security team. All products should receive this crucial testing by the internal security team using a combination of tooling and their own knowledge prior to release.
Reputable, trustworthy software development organizations will seek to engineer security into its products and test continually along the path to delivery through the operation. Automated processes will help guarantee that security will not be overlooked. Customers should expect secure software from their vendors, and a process like the one detailed above will help to identify and address vulnerabilities so those customer demands can be met.