The Importance of Developing Secure Software
Written by Everette Hubbard, our Security and Compliance Officer at Dura Software.
Security is a critical practice due to all the unintended issues when a person or system takes control of or misuses the product. When this occurs, the information can be exposed, or the system can allow access to other systems, software, or information that was never intended to be exposed. Individuals who gain this access or misuse the software can cause financial harm to another individual or company that may reveal information or actions not warranted by a virus, malware, or ransomware.
Evaluate Security Measures
As you can see by some of the articles below, major breaches occur regularly. Due to some exemptions, not all are reported, so until the company is exposed, they may delay giving public notice.
https://www.verizon.com/business/resources/reports/2021-dbir-smb-snapshot.pdfx
https://www.securitymagazine.com/articles/96667-the-top-data-breaches-of-2021
We need to understand that there are different types of computer or technology security that the industry recognizes, information versus cyber security.
Information Security exposes the data, which could be customer/consumer information, an organization's intellectual property, medical records, banking, or financial reports that are accessed or revealed from outside sources.
Cyber Security is systems that need to be protected from outside sources or compromised, whereas systems can be applications, products, or physical infrastructure.
Why is this relevant? The approach to protecting information includes needing to include cyber security as they are systems or tools that may contain the information that needs to be protected from exposure.
We must also recognize that when our software is given the golden seal of “Compliant,” it does not mean the product is secure. Many high profile breaches have come on the heels of becoming certified. Target and Supervalu incidents occurred within weeks of receiving their compliance reports.
Ensure Your Software and Team are Following Security Measures
Secure software starts with education and training on industry threats, vulnerabilities, and practices, including tools to validate or inspect code and software during the initial stages. Providing tools and techniques for the development community to utilize while building and updating software before it is released to the public and processes to review, adjust and inspect the product other than its functionality.
To ensure that your organization is doing the base minimum for meeting security requirements as far as developing software to industry standards, build your program around OWASP Open Web Application Security Project is a nonprofit organization for the improvement of application security by developers, and industry experts. Aside from an organization with folks solely focused on the software, you should also use frameworks to develop your security control program such as CIS Center for Internet Security (https://www.cisecurity.org/controls/application-software-security), NIST cyber security framework and ISO 27001which provides you with a good foundation to put in place for your organization establish the groundwork to being diligent in reducing risk.
Once you have identified your practices, whether it be OWASP or an industry-recognized framework, then you need to conduct a standard audit or assessment of your practices.
You need to test, report and develop your program to improve the actions of the staff which could include a security awareness training program. You also want to obtain the visual of what your environment looks like now by conducting a vulnerability scan. Once this is done you can have the team perform a simple walkthrough validating that you've identified threats, vulnerabilities or risks and maintain a log, support tickets or report to track the remediation and closure of items discovered to report back to the leadership.
Schedule Frequent Security Checks
One of the industry's main challenges due to the current workforce is the availability of resources to allow the organization to manage its security needs successfully. This contributes to the lack of ability to continuously provide the proper vulnerability scanning or practices to help identify and reduce threats, vulnerabilities, and risks. Due to this challenge of resources, the industry is pushing heavily for organizations to automate many of their tasks, including vulnerability scans which is helpful on the front end but harmful because the automation cannot remove or remediate those vulnerabilities. With this approach, you'll still need some resources or staff to be put in place, giving us a tiny window to provide adequate vulnerability scans. Therefore, we need to determine the new direction on how often to check for security threats and vulnerabilities depending on the resources you have. The industry says that we should check them every time a significant change has been done or at least monthly and at least two penetration tests per year.
Organizations should conduct vulnerability scans once a quarter or after every significant code change, and penetration tests should be scheduled to be initiated bi-annually.
Although various organizations rely on compliance guidance to determine how often they scan or conduct penetration tests, companies should get into a habit of constantly performing vulnerability scans and conducting penetration tests when significant changes are made to the environment.
Importance of Security in Software Platforms
Software is vital to many organizations because it provides them with capabilities to offer services and products to their customers. It also allows them to do their business functions daily to keep things flowing and keep the business. There are many reasons why organizations should be concerned about the security of their software platforms, whether it is a product that they develop for a customer or clients to use or it's a product that they've purchased for use internally.
But organizations should be wary of vulnerabilities and issues that can happen with their software, whether it's software that they've developed internally or software that's purchased off the shelf and used for the business. Organizations like SolarWinds and Octa, technologies and security products with recent breach issues, have shown the industry the importance of basic security practices and exposed the sector to heightened concern.
The supply chains that keep us fed and clothed are all managed through information technology. (CompTIA, Why is Cybersecurity Important? https://www.comptia.org/content/articles/why-is-cybersecurity-important)
Security Measures Your Team Can Implement
Organizations that begin to understand the importance of a secure software program will identify and implement measures to build a foundation for security in their products and services. If you recall the mention of OWASP, standards, and frameworks, you will see that they each have their base of activities all tend to come back to a few of the following:
Role-based security awareness training – Training designed for the specific job role, i.e., developer, IT staff, manager, staff, executive, boards.
Secure coding practices – OWASP 10 validation and other industry suggestions, including frameworks and compliance requirements.
Code analysis – Detailed code/software analysis performed via industry software; some examples include ShiftLeft, VeraCode, SonarQube.
Web application firewalls – Gone but not forgotten. The industry insisted on firewalls to protect web-based applications, but moving to the cloud has confused the administrators that AWS, GCP and Azure are just datacenters not managed internally, which means they still need firewalls.
Vulnerability scanning - This is just as important as code analysis. Scanning gives you insights into possible threats, vulnerabilities, and risks that the network, applications, and product mainly give an adversary an opportunity to compromise your organization.
Penetration testing – More fundamental than all of the suggestions on the list, a pen test gives a real-life view of what an attacker can access, manipulate, expose or capture without your knowledge or defense. Pen testing is the art of manually attacking a surface as an authorized hacker to determine whether you can access the crown jewels. This exercise will give a nearly perfect view of how your circle of protection can hold up, but you also have to be aware that the activity is over a short time frame and won’t tell you if a persistent attempt would be more successful.
Secure Your Software Today
If you or your team don’t know where to start, you can use your search engine to find documents, forums, webinars, and books to get you started. Not all information is correct or usable by every enterprise or team. Some suggestions are more than a group can endure, but not having any practices in place is a guarantee to experience an unwanted result.
