By Nazar Tymoshyk, SoftServe
All of the world's most significant accomplishments are initially underappreciated. Just like Nikola Tesla was discredited of all his achievements and no thanks were given to Gideon Sundback for his zipper, the importance of security breakthroughs in software development are also often overlooked. Yes, we all know the "safety-first-safety-always" rule, but knowing is not enough; we must apply, so in this article let's discuss several things that will help you create the most secure software possible.
Sad but True: Security Process in Reality
In today's IT environment, it's no longer a question of whether your Web application is vulnerable to cyber security threats or may be attacked someday: the questions are, "When will it be?" and "How well are you prepared."
As security shouldn't be an afterthought in development, it also shouldn't be an afterthought in responsibility. Without introducing security at the initial stages of the software development lifecycle (SDLC), your chances of re-engineering solutions over and over to address security issues -- detected long after functional solutions are accepted -- rocket with the speed of light. The later you include security's share, the greater time, money and energy loss you'll face
Security, usually carried out in the form of a third party or internal audit, goes right before the release of a product. Being a security consultant, I see product owners and project managers addressing me almost in tears to save their creation from an "unexpected" hole. It gives me shivers down my spine every time. It's like complaining that you got wet on a rainy day, but it was you who deliberately left an umbrella at home.
Here's how the security process often looks in reality:
If you find the tiniest bug (which may turn out to be a grand entrance for a hacker), you should get back to basics – coding -- and then make up for every step following, from re-coding to re-auditing, until the problem is solved.
14 Steps to Secure Software
Since there’s no use crying over spilled milk, make sure a screw cap is tight. No doubt, maintenance and timely updates of servers are necessary these days. There are, however, other security measures to employ:
Involve a security expert in your project. It's wise to have someone responsible to continuously oversee all security testing efforts.
Conduct threat modeling. Imagine you’re a hacker and analyze how it is possible to misuse/compromise/hack your product. And then do it again.
Define right security requirements with your security expert/application hacker. Sometimes the problem is a lack of clear understanding of what should be secured.
Use security frameworks during coding, but avoid custom cryptography. It's better to follow OWASP coding guidelines.
Apply two-factor authentication where possible.
Log any high privilege activities to cover your back if a breach still occurs.
Execute static application security testing (SAST) defects with tools like Sonar, AppScan and Veracode.
Integrate dynamic application security testing (DAST) to continuous integration (CI) and test app security in the runtime.
Find the weakest point in your application logic. Logic issues are usually the root of evil in app security.
Fix defects and revalidate if they are fixed properly, twice and thrice over.
Configure patching for production and never forget to update your platform. You don’t want long-forgotten troubles from an outdated platform to live on.
Set up a vulnerability scanner to make sure no new security gaps appeared during the deployment and release Phase of your infrastructure.
Don’t skimp when it comes to proper penetration testing.
Evaluate your process with the OWASP Software Assurance Maturity Model.
Eat, sleep, secure, repeat. With a proper security program, the number of security defects should decrease from phase to phase:
- Coding - Carry out secure coding trainings
- Build - Conduct automated security tests (SAST, DAST)
- QA & security - Arrange manual penetration testing
- Production - Apply regular vulnerability scans
Here's a visual for you to print out and pin next to your computer to help aid in your everyday thinking. Be safe, developers!
Nazar Tymoshyk is a security consultant at SoftServe. He has a Ph.D. in Information Security and specializes in security consulting, enterprise IT consulting, application security assessments, penetration testing, Ruby, OWASP, Linux, virtualization/cloud, automation, networking, forensics and reversing. His security certifications include Certified Ethical Hacker (EC-Council), Zyxel Security Specialist, CIW Web Security Specialist, HP Fortify Security Technical Specialist, Cisco SMB Security Specialist, Certified Linux Professional, Certified Linux Engineer and Microsoft Certified Technology Specialist. With over 14 years of experience in information security and over seven years in network infrastructure management, Nazar is also the leader of OWASP Lviv Chapter. Nazar is a regular contributor to the SoftServe United blog.