Secure Development is arguably one of the biggest concerns and least considered aspects of Information Security. Every business today relies on some sort of software to deliver its services. And unless that software is an individual entity of one of the big brand off the shelf packages then it will need to integrate with or exchange data with one or more other software systems. In any situation where a company has developed its own proprietary system, outsourced the development of its system or integrated with another system then secure development is a key factor in ensuring that it is safe.
Let’s remember that in the case of the recent Virgin Media data breach, which laid bare up to 900,000 sets of customer records for over 10 months, no external hack was involved; merely an incorrect internal configuration. If your company is doing anything more than just using a mainstream system then ensuring that development happens securely is not just important, but your responsibility. In this post we will look at what Secure Development is, why it is so important and how you can start to take it seriously.
What is Secure Development?
Secure development is a practice to ensure that the code and processes that go into developing applications are as secure as possible. Secure development involves several activities, including the implementation of a Security Development Lifecycle (SDL) and secure coding itself. Secure development should be involved throughout the software development lifecycle with the aim of developing systems that protect the information flowing they handle in operations; if it is not protected it can be exploited and provide a soft underbelly for a potential attack.
Why is Secure Development so important?
There are enough threats and risks out there without creating our own ones through a lack of care or oversight. Every piece of software that your company uses can be compromised. Numerous high profile cyber attacks in recent years have come through loopholes or vulnerabilities in software development. The widespread NotPetya attack 2017, that caused an estimated $10bn of damage to Maersk alone, originated from a backdoor hidden in a third party accounting software package. What is easier for hackers than targeting individual systems of individual target companies? Targeting software that vast numbers of target companies use and waiting to get lucky……
So how do you get started?
Secure Development needs to be on the Information risk landscape for every company but just like many other aspects of InfoSec it can be a complex and difficult area to manage. My three top tips for starting in this area are:
- Protect Yourself – Start by taking a strategic step back to consider the features and requirements of the services that you are providing and assess what systems are really needed to provide them. Re-drawing your systems map from the perspective of necessity rather than utility can provide surprising clarity. And go through the same level of scrutiny on the systems that your suppliers may be using to interact with you….
- Stay current - The Secure Development landscape is constantly shifting but there are some effective ways of keeping in touch. The OWASP Foundation works to improve the security of software and its community maintains extensive good practice guidance on the development of secure web applications.
- Minimise access and maintain control of source-code, libraries and data – having put secure development at the genesis if not the heart of your systems plans the next step is to ensure that you have control of who can make further development changes to your systems or your supplier systems. There is no point in doing all the strategic work if it can then be undone through a lack of oversight.
So in summary, if your systems handle your customers data that it is your responsibility to ensure those systems are developed securely, regardless of whether you develop them inhouse or procure them from a supplier; secure development practices are critical to ensure that both you and your customers remain safe. It can be a daunting and complex prospect to take on but that does not make it any less important in the Risk Management arena.c2 cyber ltd