To get ahead of threat curve, boost security during software development
(Editor’s note: Is it possible to develop software with fewer intrinsic vulnerabilities? In this guest essay John Dickson, a principal at Denim Group, a secure software developer, argues an emphatic “yes.”)
By John Dickson, Special for ThirdCertainty
You can’t attend a security event like the RSA Conference or BlackHat without hearing the security vendors tout threat intelligence, advanced malware detection, patch management, continuous monitoring, intrusion prevention, and so on and so on. These are all mainstream cybersecurity solutions that are top of mind, but don’t address the underlying security issue—where many of these vulnerabilities originate.
Unfortunately, the majority of mainstream security solutions focus on inbound threats and are aimed at known vulnerabilities. The common denominator? They all are after the fact. … While that’s well and good, this approach puts enterprises in the role of constantly playing catch-up, which still leaves them open to attack from vulnerabilities that have not yet been identified. To properly reduce their attack surface and effectively increase their security posture, enterprises must move beyond the patching mindset and take a harder look at their own software development processes. By addressing potential weaknesses and security flaws before internal applications are fully in production, you can greatly limit risk exposure right out of the gate.
Free IDT911 white paper: Breach, Privacy and Cyber Coverages: Fact and Fiction
This is easier said than done. Because developers are focused on getting applications completed and out the door, security is usually overlooked and often takes a backseat to production quotas and timelines. While this is great for pushing out new applications, it greatly compromises security, thereby introducing opportunities for nefarious parties to exploit. Today’s constantly evolving cybersecurity landscape has made it a necessity for security to not only have a seat at the software development table, but to make sure their input is taken seriously. If management continues to ignore the development process as a legitimate security issue, the news headlines will always read in favor of the online criminals.
Raise the bar on security
The approach is simple—build your software to a slightly higher standard, to withstand the probes and attacks likely to be encountered when the software is in production and exposed to the Internet. Identify and evaluate the context of vulnerabilities early in the development process, and prioritize the risk level before placing it in the queue to remediate. This allows you to address the most serious vulnerabilities before they ever become an issue, reducing downtime and disruption.
The technology is already out there; the developers just need to see that they have the support of upper management to implement it. For instance, coordinating application security testing is something developers can easily add to the development process to quickly identify and fix application vulnerabilities before they make it to production.
Early inclusion pays off later
Furthermore, taking a security approach to development enables enterprises responsible for maintaining reporting on compliance to provide application vulnerability information for better application risk management at the enterprise level. By giving security a seat at the software development table, application security finally gets put on the radar of security operators and risk management decision-makers for inclusion, analysis and comparison with all other risk information—ensuring a more comprehensive and effective approach to addressing cybersecurity threats and vulnerabilities.
Despite enterprises making great efforts to reduce their attack surface by patching vulnerabilities, they will never get ahead of the threat curve if they don’t elevate the security of internally developed software to a similar level. Developing software and applications with security in mind not only allows it to withstand a variety of attacks, it allows for a more comprehensive and responsive security posture.
More on emerging best practices
5 data protection tips for SMBs
What SMBs need to know about CISOs
Protecting your digital footprint in the post privacy era