It’s October, which means National Cybersecurity Awareness Month is back! Last year, I shared some thoughts on clarity of communication as an essential element of cybersecurity. This year, let’s talk about secure design, coding, and testing of software to protect your applications and customers.
Enterprise software development, whether for external sale or internal use, presents many challenges including scaling concerns. Large amounts of data and heavy activity are at play, as well as poor and unreliable connectivity on complex networks. Software developers all know that their applications must be architected so that they are scalable, secure, stable, usable, and of sufficient quality. However, security and auditing are also critical considerations that must be emphasized and addressed throughout the development lifecycle.
Applications must be designed with security at the forefront of planning, and rigorous care is taken to ensure that vulnerabilities are not introduced so that data and systems are protected. This includes thorough auditing of user actions, preferably with before and after values if appropriate. Audit logging is essential not only for compliance reasons, but for forensics and an evidence trail of malicious or accidental usage that impacts security.
Permissions, authorization, and authentication must be considered carefully. If a feature or task requires code to be run as a privileged user account, have the bare minimum of permissions being identified and used? We must strive for our code to do the most amount of work with the least amount of privilege. For every design, be sure to ask:
- Are web and API calls appropriately permissioned?
- Is authorization enforced on the server side, and not just in the user interface? Do not rely on enforcing permissible actions on the client side only.
- Does the system enforce that a user is authenticated with the system, effectively disallowing anonymous access to endpoints?
Data protection is another important consideration. Is sensitive data adequately protected in your application?
- This includes not only confidential organization and personal data, but also passwords, cryptographic keys, SSH keys, certificates, database backups, API keys, network information, and credentials.
- Are the appropriate, certified encryption and hashing algorithms used consistently?
- Take care to ensure that passwords and other sensitive data do not inadvertently appear in log files or other diagnostics.
Here are a few considerations I recommend you take as you evaluate your secure coding:
- Design your products with security in mind.
- Educate your teams on common vulnerabilities and secure coding techniques – there are many great online training videos around considerations such as SQL injection, or cross-site scripting.
- Ensure that there is the budget for internal and external penetration tests to evaluate the security of your applications through authorized and simulated “attacks”.
- Evolve your software development lifecycle process to include security reviews of designs, code, and testing efforts.
- Create a pipeline for evaluating issues and risks, clear communication of criticality and mitigations, and budget time for fixes and education.
The impact of poor secure design, coding, and testing of enterprise applications can be formidable to overcome. Customer data and satisfaction is on the line. Sales and maintenance revenue can be affected. Loss of trust can be a major obstacle to success. Empower your teams through education, getting involved in local security gatherings and events, and follow security industry twitter accounts. As developers and testers and architects, security must be at the forefront of our processes and skill sets to ensure success.
David Allen, VP, Engineering
As Vice President of Engineering, David is responsible for development and quality assurance for the PowerBroker and BeyondInsight product lines. Having worked in several other development and management roles throughout the years, David brings with him the decades of experience and knowledge required to manage high performance teams. Prior to its acquisition by BeyondTrust, David was the Director of Engineering for eEye Digital Security where he was instrumental in growing the development organization and increasing the delivery capacity of the team. Previous to eEye, David managed the Canadian Engineering team for NetPro before the acquisition by Quest Software in 2008.