NEW: Microsoft Vulnerabilities Report 2022 - Read the Findings of Our Annual Report Read Now

  • Partners
  • Support
  • Careers
  • English
    • Deutsch
    • français
    • español
    • 한국어
    • português
BeyondTrust
  • Products

    Privileged Password Management

    Discover, manage, audit, and monitor privileged accounts and credentials.

    • Password Safe
    • DevOps Secrets Safe
    • Privileged Access Discovery Application

    Endpoint Privilege Management

    Enforce least privilege across Windows, Mac, Linux, and Unix endpoints.

    • Windows and Mac
    • Unix and Linux
    • Active Directory Bridge

    Secure Remote Access

    Centrally manage remote access for service desks, vendors, and operators.

    • Remote Support
    • Privileged Remote Access
    • Privileged Access Discovery Application

    Cloud Security Management

    Automate the management of identities and assets across your multicloud footprint.

    • Cloud Privilege Broker

    BeyondInsight

    Experience the industry’s most innovative, comprehensive platform for privileged access management.

  • Solutions

    Use Cases

    • Cloud Security
    • Compliance
    • Cyber Insurance
    • Digital Transformation
    • Endpoint Security
    • Operational Technology
    • Ransomware
    • Service Desk Efficiency
    • Zero Trust

    Industry Applications

    • Financial Services
    • Government Agencies
    • Healthcare
    • Law Enforcement
    • Manufacturing
    • Schools & Universities

    Solutions

    The BeyondTrust Privileged Access Management portfolio is an integrated solution that provides visibility and control over all privileged accounts and users.

  • Resources

    Learn

    • Blog
    • Customer Stories
    • Competitor Comparisons
    • Datasheets
    • Demos
    • Glossary
    • Podcast
    • Whitepapers

    Attend

    • Events
    • Go Beyond
    • Training
    • Webinars

    Support

    • Changelog
    • Professional Services
    • Technical Documentation

    Universal Privilege Management

    Our innovative Universal Privilege Management approach secures every user, asset, and session across your entire enterprise.

  • Company
    • About
    • Leadership
    • Core Values
    • Partners
    • Careers
  • Watch Demo
  • Contact Sales

National Cybersecurity Awareness Month – Secure Software Development

October 9, 2018

  • Blog
  • Archive

blog-national-cybersecurity-awareness-month-secure-software-development.jpg

It’s October, which means National Cybersecurity Awareness Month is back! Last year, I shared some thoughts on clarity of communication as an essential element of cybersecurity. This year, let’s talk about secure design, coding, and testing of software to protect your applications and customers.

Enterprise software development, whether for external sale or internal use, presents many challenges including scaling concerns. Large amounts of data and heavy activity are at play, as well as poor and unreliable connectivity on complex networks. Software developers all know that their applications must be architected so that they are scalable, secure, stable, usable, and of sufficient quality. However, security and auditing are also critical considerations that must be emphasized and addressed throughout the development lifecycle.

Applications must be designed with security at the forefront of planning, and rigorous care is taken to ensure that vulnerabilities are not introduced so that data and systems are protected. This includes thorough auditing of user actions, preferably with before and after values if appropriate. Audit logging is essential not only for compliance reasons, but for forensics and an evidence trail of malicious or accidental usage that impacts security.

Permissions, authorization, and authentication must be considered carefully. If a feature or task requires code to be run as a privileged user account, have the bare minimum of permissions being identified and used? We must strive for our code to do the most amount of work with the least amount of privilege. For every design, be sure to ask:

  • Are web and API calls appropriately permissioned?
  • Is authorization enforced on the server side, and not just in the user interface? Do not rely on enforcing permissible actions on the client side only.
  • Does the system enforce that a user is authenticated with the system, effectively disallowing anonymous access to endpoints?

Data protection is another important consideration. Is sensitive data adequately protected in your application?

  • This includes not only confidential organization and personal data, but also passwords, cryptographic keys, SSH keys, certificates, database backups, API keys, network information, and credentials.
  • Are the appropriate, certified encryption and hashing algorithms used consistently?
  • Take care to ensure that passwords and other sensitive data do not inadvertently appear in log files or other diagnostics.

Here are a few considerations I recommend you take as you evaluate your secure coding:

  • Design your products with security in mind.
  • Educate your teams on common vulnerabilities and secure coding techniques – there are many great online training videos around considerations such as SQL injection, or cross-site scripting.
  • Ensure that there is the budget for internal and external penetration tests to evaluate the security of your applications through authorized and simulated “attacks”.
  • Evolve your software development lifecycle process to include security reviews of designs, code, and testing efforts.
  • Create a pipeline for evaluating issues and risks, clear communication of criticality and mitigations, and budget time for fixes and education.

The impact of poor secure design, coding, and testing of enterprise applications can be formidable to overcome. Customer data and satisfaction is on the line. Sales and maintenance revenue can be affected. Loss of trust can be a major obstacle to success. Empower your teams through education, getting involved in local security gatherings and events, and follow security industry twitter accounts. As developers and testers and architects, security must be at the forefront of our processes and skill sets to ensure success.

David Allen, VP, Engineering

As Vice President of Engineering, David is responsible for development and quality assurance for the PowerBroker and BeyondInsight product lines. Having worked in several other development and management roles throughout the years, David brings with him the decades of experience and knowledge required to manage high performance teams. Prior to its acquisition by BeyondTrust, David was the Director of Engineering for eEye Digital Security where he was instrumental in growing the development organization and increasing the delivery capacity of the team. Previous to eEye, David managed the Canadian Engineering team for NetPro before the acquisition by Quest Software in 2008.

Stay Up To Date

Get the latest news, ideas, and tactics from BeyondTrust. You may unsubscribe at any time.

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

You May Also Be Interested In:

Whitepapers

Microsoft Vulnerabilities Report 2022

Whitepapers

Cybersecurity Insurance Checklist

Whitepapers

Privileged Access Management: PAM Checklist

Keep up with BeyondTrust

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

Customer Support
Contact Sales

Products

  • Endpoint Privilege Management
  • Password Management
  • Privileged Remote Access
  • DevOps Secrets Safe
  • Remote Support
  • Cloud Privilege Broker

Resources

  • Blog
  • Case Studies
  • Competitor Comparisons
  • Datasheets
  • Glossary
  • Podcast
  • Videos
  • Webcasts
  • Whitepapers

About

  • Company
  • Careers
  • Contact
  • Events
  • Leadership Team
  • Partner Program
  • Press
BeyondTrust Logo
  • Facebook
  • Twitter
  • LinkedIn
  • Privacy
  • Security
  • Manage Cookies
  • WEEE Compliance

Copyright © 1999 — 2022 BeyondTrust Corporation. All rights reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust Corporation is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.