National Cybersecurity Awareness Month – Secure Software Development
October 9th, 2018
It’s October, which means National Cybersecurity Awareness Month is back! Last year, I shared some thoughts on clarity of communication as an essential element of cybersecurity. This year, let’s talk about secure design, coding, and testing of software to protect your applications and customers.
Enterprise software development, whether for external sale or internal use, presents many challenges including scaling concerns. Large amounts of data and heavy activity are at play, as well as poor and unreliable connectivity on complex networks. Software developers all know that their applications must be architected so that they are scalable, secure, stable, usable, and of sufficient quality. However, security and auditing are also critical considerations that must be emphasized and addressed throughout the development lifecycle.
Applications must be designed with security at the forefront of planning, and rigorous care is taken to ensure that vulnerabilities are not introduced so that data and systems are protected. This includes thorough auditing of user actions, preferably with before and after values if appropriate. Audit logging is essential not only for compliance reasons, but for forensics and an evidence trail of malicious or accidental usage that impacts security.
Permissions, authorization, and authentication must be considered carefully. If a feature or task requires code to be run as a privileged user account, have the bare minimum of permissions being identified and used? We must strive for our code to do the most amount of work with the least amount of privilege. For every design, be sure to ask:
- Are web and API calls appropriately permissioned?
- Is authorization enforced on the server side, and not just in the user interface? Do not rely on enforcing permissible actions on the client side only.
- Does the system enforce that a user is authenticated with the system, effectively disallowing anonymous access to endpoints?
Data protection is another important consideration. Is sensitive data adequately protected in your application?
- This includes not only confidential organization and personal data, but also passwords, cryptographic keys, SSH keys, certificates, database backups, API keys, network information, and credentials.
- Are the appropriate, certified encryption and hashing algorithms used consistently?
- Take care to ensure that passwords and other sensitive data do not inadvertently appear in log files or other diagnostics.
Here are a few considerations I recommend you take as you evaluate your secure coding:
- Design your products with security in mind.
- Educate your teams on common vulnerabilities and secure coding techniques – there are many great online training videos around considerations such as SQL injection, or cross-site scripting.
- Ensure that there is the budget for internal and external penetration tests to evaluate the security of your applications through authorized and simulated “attacks”.
- Evolve your software development lifecycle process to include security reviews of designs, code, and testing efforts.
- Create a pipeline for evaluating issues and risks, clear communication of criticality and mitigations, and budget time for fixes and education.
The impact of poor secure design, coding, and testing of enterprise applications can be formidable to overcome. Customer data and satisfaction is on the line. Sales and maintenance revenue can be affected. Loss of trust can be a major obstacle to success. Empower your teams through education, getting involved in local security gatherings and events, and follow security industry twitter accounts. As developers and testers and architects, security must be at the forefront of our processes and skill sets to ensure success.
Check out our 2017 Cybersecurity Awareness Month blog series.