To get ahead of threat curve, boost security during software development

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

(Editor’s note: Is it pos­si­ble to devel­op soft­ware with few­er intrin­sic vul­ner­a­bil­i­ties? In this guest essay John Dick­son, a prin­ci­pal at Den­im Group, a secure soft­ware devel­op­er, argues an emphat­ic “yes.”)

By John Dick­son, Spe­cial for ThirdCertainty

You can’t attend a secu­ri­ty event like the RSA Con­fer­ence or Black­Hat with­out hear­ing the secu­ri­ty ven­dors tout threat intel­li­gence, advanced mal­ware detec­tion, patch man­age­ment, con­tin­u­ous mon­i­tor­ing, intru­sion pre­ven­tion, and so on and so on. These are all main­stream cyber­se­cu­ri­ty solu­tions that are top of mind, but don’t address the under­ly­ing secu­ri­ty issue—where many of these vul­ner­a­bil­i­ties originate.

John Dickson, Denim Group principal
John Dick­son, Den­im Group principal

Unfor­tu­nate­ly, the major­i­ty of main­stream secu­ri­ty solu­tions focus on inbound threats and are aimed at known vul­ner­a­bil­i­ties. The com­mon denom­i­na­tor? They all are after the fact. … While that’s well and good, this approach puts enter­pris­es in the role of con­stant­ly play­ing catch-up, which still leaves them open to attack from vul­ner­a­bil­i­ties that have not yet been iden­ti­fied. To prop­er­ly reduce their attack sur­face and effec­tive­ly increase their secu­ri­ty pos­ture, enter­pris­es must move beyond the patch­ing mind­set and take a hard­er look at their own soft­ware devel­op­ment process­es. By address­ing poten­tial weak­ness­es and secu­ri­ty flaws before inter­nal appli­ca­tions are ful­ly in pro­duc­tion, you can great­ly lim­it risk expo­sure right out of the gate.

Free IDT911 white paper: Breach, Pri­va­cy and Cyber Cov­er­ages: Fact and Fiction

This is eas­i­er said than done. Because devel­op­ers are focused on get­ting appli­ca­tions com­plet­ed and out the door, secu­ri­ty is usu­al­ly over­looked and often takes a back­seat to pro­duc­tion quo­tas and time­lines. While this is great for push­ing out new appli­ca­tions, it great­ly com­pro­mis­es secu­ri­ty, there­by intro­duc­ing oppor­tu­ni­ties for nefar­i­ous par­ties to exploit. Today’s con­stant­ly evolv­ing cyber­se­cu­ri­ty land­scape has made it a neces­si­ty for secu­ri­ty to not only have a seat at the soft­ware devel­op­ment table, but to make sure their input is tak­en seri­ous­ly. If man­age­ment con­tin­ues to ignore the devel­op­ment process as a legit­i­mate secu­ri­ty issue, the news head­lines will always read in favor of the online criminals.

Raise the bar on security 

The approach is simple—build your soft­ware to a slight­ly high­er stan­dard, to with­stand the probes and attacks like­ly to be encoun­tered when the soft­ware is in pro­duc­tion and exposed to the Inter­net. Iden­ti­fy and eval­u­ate the con­text of vul­ner­a­bil­i­ties ear­ly in the devel­op­ment process, and pri­or­i­tize the risk lev­el before plac­ing it in the queue to reme­di­ate. This allows you to address the most seri­ous vul­ner­a­bil­i­ties before they ever become an issue, reduc­ing down­time and disruption.

The tech­nol­o­gy is already out there; the devel­op­ers just need to see that they have the sup­port of upper man­age­ment to imple­ment it. For instance, coor­di­nat­ing appli­ca­tion secu­ri­ty test­ing is some­thing devel­op­ers can eas­i­ly add to the devel­op­ment process to quick­ly iden­ti­fy and fix appli­ca­tion vul­ner­a­bil­i­ties before they make it to production.

Ear­ly inclu­sion pays off later

Fur­ther­more, tak­ing a secu­ri­ty approach to devel­op­ment enables enter­pris­es respon­si­ble for main­tain­ing report­ing on com­pli­ance to pro­vide appli­ca­tion vul­ner­a­bil­i­ty infor­ma­tion for bet­ter appli­ca­tion risk man­age­ment at the enter­prise lev­el. By giv­ing secu­ri­ty a seat at the soft­ware devel­op­ment table, appli­ca­tion secu­ri­ty final­ly gets put on the radar of secu­ri­ty oper­a­tors and risk man­age­ment deci­sion-mak­ers for inclu­sion, analy­sis and com­par­i­son with all oth­er risk information—ensuring a more com­pre­hen­sive and effec­tive approach to address­ing cyber­se­cu­ri­ty threats and vulnerabilities.

Despite enter­pris­es mak­ing great efforts to reduce their attack sur­face by patch­ing vul­ner­a­bil­i­ties, they will nev­er get ahead of the threat curve if they don’t ele­vate the secu­ri­ty of inter­nal­ly devel­oped soft­ware to a sim­i­lar lev­el. Devel­op­ing soft­ware and appli­ca­tions with secu­ri­ty in mind not only allows it to with­stand a vari­ety of attacks, it allows for a more com­pre­hen­sive and respon­sive secu­ri­ty posture.

More on emerg­ing best practices
5 data pro­tec­tion tips for SMBs
What SMBs need to know about CISOs
Pro­tect­ing your dig­i­tal foot­print in the post pri­va­cy era

Posted in Cybersecurity, Data Security, Guest Essays