In this installment of our cyber safety series, learn how implementing a secure software development process can minimize your risk for software breaches.
Exploiting software vulnerabilities is one of the most common causes of cybersecurity breaches. These vulnerabilities are flaws in application code that, if identified by “bad actors” or cyber criminals, can be exploited to compromise a secure network. Some of the largest security breaches in recent memory, such as the 2017 Equifax data breach, 2019 Capital One breach and the 2013 Yahoo data breach, were due at least in part to software vulnerabilities.
Despite the prevalence of software vulnerability exploits, security vulnerabilities are often an afterthought in software development, as software engineers are primarily focused on developing applications that meet user functionality and performance requirements. Traditionally, security is considered in the late phases of software development, namely testing and implementation. However, testing is usually focused on identifying bugs that impact application functionality, and vulnerabilities identified in the later stages usually require significantly more time and resources to resolve.
What is Secure Software Development?
The general idea of secure software development life cycle (SDLC) is to move security to the earliest phases of software development, also referred to as shifting security left, and to integrate security in all phases of the development process. There are several secure SDLC models aimed at addressing cybersecurity risks in software development. Some of the more well-known ones include Microsoft’s Secure Development Lifecycle Practices and NIST’s Secure Software Development Framework.
Moving security to the early phases of your SDLC process, and integrating security throughout all phases allows your organization to not only identify and address security issues before writing the first line of code, but also positions you to identify and address unexpected issues sooner in the process. Identifying security vulnerabilities early also significantly reduces the cost and effort required to address these issues, versus trying to tackle them at a later stage. In fact, according to IBM’s System Science Institute, the cost of addressing vulnerabilities identified during the testing and maintenance phases is 15 and 100 times more expensive, respectively, than if they were identified during the design phase.
How to Adopt a Secure Software Development Model
Adopting a secure software development model will help your organization reduce vulnerabilities in released software and minimize the impact of exploited vulnerabilities. Below are some steps to take to move to a secure development process.
Establish Organizational Level Security Requirements
Define policies specifying the software development security requirements, including secure coding practices, software architecture requirements and securing the development infrastructure.
Educate Your Development Team
Educate your developers on secure coding practices, frameworks and the use of security focused development tools.
Consider Security at Every Phase
Integrate security considerations throughout your existing SDLC process. Some examples of integrating security into SDLC include:
- Defining security requirements as part your functional requirements gathering phase; requirements may include internal policies, and applicable laws and regulations.
- Considering security requirements during application design. Consider security risks associated with key aspects of the application, such as the types of data the application will have access to, third party integrations, and the development technologies and underlying platforms to be used.
- Considering security when building test cases. In addition to testing the functional security features built into the application, you should also leverage testing tools such as fuzz and dynamic vulnerability testing to identify security vulnerabilities.
With cyber criminals aggressively seeking out software vulnerabilities to exploit, we can expect to see more breaches in the future. Implementing a secure software development model will bring security to the forefront of your development process and minimize the chances that vulnerabilities in your software will be the cause of the next major breach.
Contact a member of your service team to discuss this topic further.
Cohen & Company is not rendering legal, accounting or other professional advice. Information contained in this post is considered accurate as of the date of publishing. Any action taken based on information in this blog should be taken only after a detailed review of the specific facts, circumstances and current law.