Security in Software Development - 10 Steps to Implement in 2023
Building cybersecurity into software development is as important today as fitting secure locks to office facilities. Arguably, it is even more vital.
While physical intruders can cause loss and costs, a cyberattack can have a devastating impact, affecting not only the business but its customers, suppliers and other stakeholders.
Losses can be worse than financial.
Data breaches have an impact on customer trust and on a brand’s reputation from which recovery can be impossible.
For example, at the Aadhaar data breach case, personal details of more than a billion customers were leaked onto the dark web, with the perpetrators selling access for as little as $7.
The thought of falling victim to a breach of this nature is the sort of thing that will keep CEOs awake at night far more than the threat of burglars breaking in through a window.
Cybersecurity must be front and centre in the minds of software developers and stakeholders at every stage in the secure software development lifecycle (SSDLC). So, let's take a little closer look at this.
What is SSDLC?
Sometimes simply referred to as the SDL, this is a set of best practices that should be integrated into a business’s processes and procedures to strengthen security and compliance in software development. In the past, there was a tendency to think of security as a consideration for the testing phase of software development.
With SSDLC, cybersecurity is always in mind and incorporated in every lifecycle stage. As well as mitigating one of the key risks in terms of software vulnerabilities and their exploitation, SSDLC brings many secondary benefits. These include the following:
- Reduced risk of breaching regulatory compliance, with the associated fines and bad press.
- Cost reduction - catching flaws earlier makes it quicker and easier to address them and gives them less time to escalate into a real problem.
- Keeping development team members aware of the latest secure coding practices.
- Increased trust from customers when they see the priority placed on security.
- More consistent approach to security across the business.
- Developing in-house security expertise.
It's a "say no more" situation, isn't it? So, let's proceed to the practical part of this topic and talk about "how to".
Steps to implementing security in software development
The US National Institute of Standards (NIST) published its Secure Software Development Framework in February 2022. This gives a highly prescriptive framework for implementation, complete with standard references and methodologies for every step. To implement SSDLC with all the rigour of an internationally recognised and auditable standard, the NIST framework is an invaluable tool.
But while the framework tells you everything you could ever want to know about the how, of SSDLC it is, by necessity, vague on the what, as no two businesses have the same needs or risks.
The following guidance notes address this and can be used in conjunction with the NIST resource.
1. Identify key software development security risks
Before taking any active steps, it is vital to have a grip on the specific cybersecurity risks that a business faces. Spending some time brainstorming these risks and mapping the likelihood of them occurring and the impact if they do, and then considering how existing controls “move” these ratings is an exercise that can be both illuminating and valuable.
Every business will be different, but there are some common risks that arise time and again. Examples include the following:
- Legacy software - businesses have to walk a tightrope, and cannot upgrade software every week. But like physical facilities or fleet vehicles, software that is a few years old is always going to be more of a security risk.
- Poor code quality - when code is badly written, it makes the application harder to secure and often introduces new security vulnerabilities. Basic coding best practices such as input validation and secure coding practices can be neglected.
- Software systems not maintained - when an application is no longer being further developed, it is often left to manage itself. Vulnerabilities creep in and can be exploited.
- Password storage - many businesses have strict rules for passwords at the UI end, and then do the virtual equivalent of storing them in an old biscuit tin on the shelf.
- Web service vulnerabilities - web services can often be a rich source of personal information for hackers, yet are often the most poorly protected.
Understanding the risks and vulnerabilities that are specific to your business is the first step in mitigating and managing them.
2. Stay abreast of the top vulnerabilities
There are dangers inherent in being too inward-looking. Having established the business-specific risks, be aware of what is happening in the wider world. The Open Web Application Security Project (OWASP) maintains a list of the top-ranked cybersecurity vulnerabilities and updates it regularly.
Keeping the OWASP Top 10 close to hand and routinely reviewing it as a team helps ensure minds remain open to potential new vulnerabilities and areas of risk.
For example, security in serverless technologies is arguably one of the highest priorities for 2023, but is something that is not necessarily on every business’s direct radar.
3. Embed software security as top priority from the outset
Remember how almost alarmingly quickly people got into the habit of slipping face masks on in 2020? Or for those with longer memories, how we made the transition to car seat belts, so it became second nature to put one on when getting in the car? As humans, we are quite adept at making security second nature, and in software development, it needs to be part of the conversation from the initial planning stages of any project.
What does this really mean? Think about what security vulnerabilities may be exposed at each development stage. Likewise, evaluate the security impact of any changes, addition of new features and so on.
With SSDLC practices, you can weigh the security risks that can impact every stage of the development lifecycle, then work through each to ensure essential controls are in the right places - your facemasks and seat belts, if you will.
4. Security is everyone’s responsibility
The SSDLC framework can be drawn up by a specialist, but its implementation needs buy-in and understanding from the entire software development team. Otherwise, it is just so many words. Security awareness training is therefore a vital step, without which SSDLC is doomed to fail, it is that simple.
That training should cover the steps mentioned so far and those to come. Without wishing to get too evangelical, buy-in only comes when training covers the why as well as the what and how. Training should also look at cybersecurity from the other side of the telescope, giving teams the opportunity to ponder on how cybercriminals work and what motivates their actions.
Security does not stand still, so don’t make the mistake of treating training as a “set it and forget it” one off exercise. It needs to be part of the process and regular training meetings and activities are essential.
5. Perform constant code reviews and analysis
Code reviews should also be a routine part of every developer’s life - not a periodic witch hunt when something goes wrong. Coding is and has always been a security minefield and a change made here can expose a new vulnerability there, especially in emerging areas like mobile application security. Adopt defensive coding practices, which means keeping the code as neat and minimalist as possible.
Even the most experienced coders can make mistakes - it is called being human. Static code analysis provides a worthwhile safety net and can identify security vulnerabilities, as well as providing an auditable process for code review.
There are various tools out there that can be deployed. We will not go into depth reviewing them here, but SonarQube is a popular open source option, as well as Semgrep. Others include Checkmarx SAST and Veracode Static Analysis.
6. Use the best-maintained frameworks and libraries
There are always multiple ways of doing things and everyone has their own preferences when it comes to coding tools, frameworks and libraries. As a rule of thumb, the more popular libraries and frameworks are the ones that are better maintained and are less likely to have vulnerabilities than those that are more obscure or have just been created last week.
Open source components bring numerous benefits beyond cost. They typically benefit from swift bug detection and the rapid deployment of patches. But whatever frameworks and libraries are used, a little due diligence in checking their reputation and searching for previously detected vulnerabilities using such resources as Snyk Vulnerability database can save a lot of headaches down the line.
7. Deploy benchmark coding standards and guidelines
SSDLC starts and ends with coding practices, and if these do not follow industry best practices, everything else is tantamount to rearranging the deckchairs on the Titanic.
Maintaining the best coding standards will promote enhanced design principles and will in itself reduce security vulnerabilities. Also, having clearly understood and communicated guidelines in place makes management, monitoring and audit easier and more practicable.
Drawing up a set of coding guidelines that dictate what is written and how is a subject in its own right. We will not do a deep dive on that here, but we will briefly mention some of the security vulnerabilities and popular types of attack that it needs to address:
- Complete encryption - all data should be encrypted as a matter of course.
- Password storage - passwords should never be stored in plain text. A hashing algorithm allows you to securely store them in a database.
- Sensitive data exposure - related to the encryption issue, but this is when particularly sensitive data, such as bank details, social security numbers, encryption keys and so on are ot adequately protected.
- Logging and monitoring - this is often seen as an administrative burden, resulting in corners being cut. But if logging and monitoring is not sufficient, attacks can take place without anyone even noticing.
- SQL injection attack - this is a form of attack that inserts a malicious SQL query through an application interface to either manipulate data or export it from the back-end database. SQL injection attacks have been around since the late 90s in different forms and are not hard to prevent if you’re using parameterised queries and have strong input validation in place.
- Buffer overflow attacks - hackers slip code into a program’s buffer that can then be triggered to take control of the app.
- XSS - cross site scripting is when an attacker is able to inject a malicious script and in case of successful exploitation use it to conduct various attacks against the application users (steal user cookies, change page content, insert malicious links into the targeted website code, etc.).
8. Adopt penetration testing
A business can go a long way towards implementing SSDLC internally. But there comes a point where best practice dictates some external support from a Security Testing Services specialist. One of the most valuable functions is penetration testing.
This essentially uses the tools and techniques that hackers use to test the security of your system - a little like challenging a team of safe crackers to break into your vault.
9. Third parties and supply chains
A chain is only as strong as its weakest link. There have been some genuine horror stories about cybersecurity vulnerabilities in supply chains that have turned around and bitten related businesses.
The Target HVAC incursion ended up costing the retailer more than $18 million in settlements as well as doing reputational damage that cannot be measured in dollars. In short, cybersecurity practices need to contemplate the entire supply chain.
10. ISO 27001 certification demonstrates you are serious
Businesses that care about quality get ISO-9001 certified. Those that take cybersecurity seriously get ISO 27001. That might sound over-simplistic, but it is the way customer perception works and having that certification mark on your homepage and framed in the reception area sends out a strong message.
ISO 27001 is more than just a marketing badge of honour, however. Certification brings practical help to your cybersecurity efforts by helping you maintain the right process as well as practices.
To sum up
There are a lot of challenges in today's World of technologies, especially that concern data privacy. It is more reasonable to approach security as a continuous process from the beginning and not narrow it down to one-time activity or one person's responsibility. It's a constant process that everyone should maintain according to their access and roles.
We at TechMagic care about the security of all apps developed. Everyone involved knows the latest security practices and sticks to the standard security rules.
Moreover, we offer penetration testing and security training as individual services to help you keep your product secure and reliable.
Contact us regarding your particular case, and let's discuss how we can be helpful to you.
Why is security important in software development?
Security is more important today than ever as today’s applications are so much more accessible, for example via WiFi, mobile internet and the cloud. The consequences of a security breach can be catastrophic, both financially and in terms of reputation damage and regulatory sanctions.
What is SSDLC?
A Secure Software Development LifeCycle involves integrating cybersecurity considerations and measures into every step of software development, from ideation to testing.
What is secure software?
Secure software is designed or engineered to withstand malicious attacks. As a secure building will keep its contents and occupants safe if would-be intruders attack, secure software continues as normal without allowing attackers to access or manipulate either its code or its data.