That’s Not How it Works: All Development Should be Secure Development
By : Jonathan Knudsen | Thursday, July 02 2020 - 17:10 IWST
Jonathan Knudsen - Senior Security Strategist, Synopsys Software Integrity Group
INDUSTRY.co.id - Secure development is more important today than ever before. A vast number of cyberattacks have placed security in the spotlight, with many organisations adopting safer practices to ensure that ‘all development be secure development’. The key is minimising risks while maximising speed and efficiency. By automating and integrating security into the software development lifecycle (SDLC), vulnerabilities can be found earlier, and bugs can be fixed faster.
Doing it right
When it comes to software, anyone can do it, but it doesn’t always come out right. The four fundamental steps in software development are to decide what to build, decide how to build it, build it and test it. Through the history of software development methodologies, these fundamental steps have been expanded and twisted into different shapes. The latest iteration is the infinite loop of DevOps.
Whether you are building or buying software, it is crucial that software products are as secure, robust and resilient as they can be. This may seem easier said than done. However, by taking on the builder’s perspective and circling back around to the buyer’s perspective, problems are more effectively identified, and risks are better evaluated.
Think security at every step of the way
Organisations that create software must think about security from start to finish. The real world is messy. Cyberattacks are bound to happen, and products can fail despite best efforts. By better understanding what cyber security means and how it needs to be implemented into your processes, developers are able to write better code, effectively test for bugs and lower the risk of attacks and accidental failure. Adopting a Secure Software Development Life Cycle (SSDLC) provides a solid foundational process for incorporating security into every phase of software development. The sooner bugs are fixed, the less costly they are to resolve and the more secure the system becomes.
Microsoft was an early proponent of the SSDLC, although they named their process the Secure Development Lifecycle (SDL). From education to incident response, Microsoft identified12 different practice areas that help development teams keep security in mind at every phase of development.
Understanding the SSDLC is crucial regardless of whether you build or buy software. As a buyer, you need to have a good grasp on what you want your vendors to be doing in terms of security. On the other hand, as a developer, following an SSDLC will help you make products that are safer, more secure, and work better. It is all about the process – integrating security at every step with the help of security testing tools. As such, investments are maximised while risks are minimised.
Testing and more testing
When it comes to product security, four main classes of tools are commonly used in hunting for vulnerabilities. First, source code analysis, also known as Static Application Security Testing (SAST), helps identify bugs in source code. Additionally, it is able to navigate through control paths, looking at how data flows through the application.
The second type of tool is Software Composition Analysis (SCA), also known as supply chain analysis. An SCA tool scans source code or binaries and creates a list of third-party software components (often open source) that were used to build your software. This list is the software bill of materials. SCA tools will also check each software component for known vulnerabilities and license terms. While using third-party software components helps you bring the product to market faster, managing those components is crucial in reducing security and licensing risk.
Third, fuzz testing delivers deliberately malformed inputs to the target software, looking to see if anything goes haywire. With this, you are testing to make sure that the software does not fail in the face of unexpected, badly formed input – imitating the techniques an attacker will use to uncover vulnerabilities.
Finally, IAST, or Interactive Application Security Testing, is useful for finding security vulnerabilities in web applications. The IAST tool runs where your application is running, observes all data passing through the applications, and detects and reports bugs.
In essence, there is no better approach to a secure development process besides integrating security every step of the way – making it part of the process. By using an SSDLC, coupled with automated and integrated security testing, risk is reduced to a minimum. The sooner bugs are found, the cheaper and easier they are to fix, and the safer the final product will be.