That’s Not How it Works: All Development Should be Secure Development

By : Jonathan Knudsen | Thursday, July 02 2020 - 17:10 IWST

Jonathan Knudsen - Senior Security Strategist, Synopsys Software Integrity Group
Jonathan Knudsen - Senior Security Strategist, Synopsys Software Integrity Group - Secure development is more important today than ever before. A vast number of cyberattacks have placed security in the spotlight, with many organisations adopting safer practices to ensure that ‘all development be secure development’. The key is minimising risks while maximising speed and efficiency. By automating and integrating security into the software development lifecycle (SDLC), vulnerabilities can be found earlier, and bugs can be fixed faster.

Doing it right

When it comes to software, anyone can do it, but it doesn’t always come out right. The four fundamental steps in software development are to decide what to build, decide how to build it, build it and test it. Through the history of software development methodologies, these fundamental steps have been expanded and twisted into different shapes. The latest iteration is the infinite loop of DevOps.

Whether you are building or buying software, it is crucial that software products are as secure, robust and resilient as they can be. This may seem easier said than done. However, by taking on the builder’s perspective and circling back around to the buyer’s perspective, problems are more effectively identified, and risks are better evaluated.

Think security at every step of the way

Organisations that create software must think about security from start to finish. The real world is messy. Cyberattacks are bound to happen, and products can fail despite best efforts. By better understanding what cyber security means and how it needs to be implemented into your processes, developers are able to write better code, effectively test for bugs and lower the risk of attacks and accidental failure. Adopting a Secure Software Development Life Cycle (SSDLC) provides a solid foundational process for incorporating security into every phase of software development. The sooner bugs are fixed, the less costly they are to resolve and the more secure the system becomes.

Microsoft was an early proponent of the SSDLC, although they named their process the Secure Development Lifecycle (SDL). From education to incident response, Microsoft identified12 different practice areas that help development teams keep security in mind at every phase of development.

Understanding the SSDLC is crucial regardless of whether you build or buy software. As a buyer, you need to have a good grasp on what you want your vendors to be doing in terms of security. On the other hand, as a developer, following an SSDLC will help you make products that are safer, more secure, and work better. It is all about the process – integrating security at every step with the help of security testing tools. As such, investments are maximised while risks are minimised.

Testing and more testing

When it comes to product security, four main classes of tools are commonly used in hunting for vulnerabilities. First, source code analysis, also known as Static Application Security Testing (SAST), helps identify bugs in source code. Additionally, it is able to navigate through control paths, looking at how data flows through the application.

The second type of tool is Software Composition Analysis (SCA), also known as supply chain analysis. An SCA tool scans source code or binaries and creates a list of third-party software components (often open source) that were used to build your software. This list is the software bill of materials. SCA tools will also check each software component for known vulnerabilities and license terms. While using third-party software components helps you bring the product to market faster, managing those components is crucial in reducing security and licensing risk.

Third, fuzz testing delivers deliberately malformed inputs to the target software, looking to see if anything goes haywire. With this, you are testing to make sure that the software does not fail in the face of unexpected, badly formed input – imitating the techniques an attacker will use to uncover vulnerabilities.

Finally, IAST, or Interactive Application Security Testing, is useful for finding security vulnerabilities in web applications. The IAST tool runs where your application is running, observes all data passing through the applications, and detects and reports bugs.

In essence, there is no better approach to a secure development process besides integrating security every step of the way – making it part of the process. By using an SSDLC, coupled with automated and integrated security testing, risk is reduced to a minimum. The sooner bugs are found, the cheaper and easier they are to fix, and the safer the final product will be.

News Comment

Today's Industry

Friedhelm Best - Vice President Asia Pacific, HIMA (Photo by HIMA)

Rabu, 05 Agustus 2020 - 21:10 WIB

3 Essential Considerations When Modernizing the Safety System of Industrial Facilities

As countries in Asia start to ease restrictions and more businesses return to operation in the midst of the COVID-19 pandemic, industrial plant operators are strategising a return to normality…

Gil Yankovitch, Firmware Technology Lead and Ram Yonish, Firmware Security Evangelist (former co-founders of Cymplify Security, acquired by Check Point) (Photo by LinkedIn)

Rabu, 05 Agustus 2020 - 21:00 WIB

While IoT security standards lag, IoT security companies innovate – Overview of trends in IoT cyber security

While IoT and OT devices proliferate, IoT security standards and regulations are few and far between. Unsurprisingly, this puts individuals, enterprises and states at major risk.

Ilustration Brand phishing (Photo by Technonlogy For You)

Selasa, 04 Agustus 2020 - 09:15 WIB

Google and Amazon Overtake Apple as Most Imitated Brands for Phishing in Q2 2020

Brand phishing involves the attacker imitating an official website of a known brand by using a similar domain or URL, and usually a web page similar to the original website.

Tommi Makila, Senior Solutions Architect at Synopsys Software Integrity Group (Photo by LinkedIn)

Selasa, 04 Agustus 2020 - 08:20 WIB

Are you following the top 10 software security best practices?

Each and every company’s security needs are unique and ultimately the practices and policies related to such will be unique (or as I like to put it; it’s a journey).

Ardhi Bebi Laksono

Jumat, 31 Juli 2020 - 19:30 WIB

Market Trend E-Comerce in Indonesia

As many as 90 percent of internet users in Indonesia have made purchases of products and services online.