Cybersecurity or software development – which of the notions is a top priority in the minds of IT specialists today? Evidently, it is the wrong question to ask. These concepts are closely intertwined since, when designing software, the first thing the developers should focus on is security issues.
At first, security measures were associated with the safety of data and facilities where it is stored, so keeping computers and networks from unauthorized intrusion was of utmost relevance for security experts. Later, people became aware that software can be vulnerable to interference as well. Yet, this realization came as a painful shock only after computer systems in many countries had been targeted by hackers wreaking havoc all over the computer world.
The Importance of Security in Software Development
The digitalization of contemporary life is quickly approaching the stage when it can be called ubiquitous. Entire industries are becoming virtual, to say nothing of numerous amenities and services. The amount of money circulating in the IT-sphere is astounding and reveals a steady growing tendency. Such a trend has been spotted not only by businesses but by astute criminals as well who hope to sponge on the unwary internet users.
The end of the previous millennium witnessed numerous attacks against the programs by Microsoft – the world’s largest software manufacturer – when Code Red, MyDoom, and Nimda bugs cost individual and corporate users millions of dollars. In 2002, the company reacted by shutting down its Windows division to channel joint efforts of the personnel into detecting and fixing security bugs occurring in the codebase.
Since then, the awareness of the importance of security in software development has increased dramatically with the expansion of CVE lists rapidly gathering momentum.
These Common Vulnerabilities and Exposures dictionaries streamline sharing data on the disclosed problem areas in tools, databases, and services.
All these steps notwithstanding, the number of cyber strikes didn’t abate. On the contrary, SQL and command injections, buffer overruns, and stack buffer overflow attacks were directed against various big-time businesses. Sony Pictures and Citigroup in 2011 and HBO in 2017 faced data leakages that incurred not only financial but reputational damage as well. Individual desktop users aren’t exempt from the depredations of hackers either, which was made evident by the WannaCry mayhem.
However, the impact of such deleterious activities on the IT world is surprisingly contradictory. On the one hand, the Internet of Things Development Survey held by Evan’s Data reveals that half of the developers working with the industrial IoT recognize security requirements as the top challenge for the nearest future. On the other hand, only 30% of mobile app manufacturers check their products for security vulnerabilities. Still more gruesome is the figure of 17% – this is the ratio of IT decision-makers who implement bug security testing before releasing a code, according to Veracode survey. Why do so many IT specialists neglect security issues?
Another Time-and-Money Curse
Software becomes vulnerable to intrusion because of security holes – unintended factors in program execution through which a wrongdoer can cripple the functioning of the program or implement actions detrimental to the user. Why do programmers ignore or fail to notice these holes? IT experts from software development outsourcing company Gravum give two reasons for it – money and time.
Typically, software developers view their products like the ones designed “For the Benefit and Enjoyment of the People”, as the sign above the entrance to Yellowstone says. Working in a friendly environment devoid of any malicious or deliberately destructive demeanor, they tend to focus on the joy of creation forgetting that not all people are best-intentioned. Companies that pay for the software manufacture are reluctant to take off programmers’ pink glasses, mostly because they will have to fork out a pretty penny to implement adequate security measures.
Moreover, eager for a quick profit, companies urge developers to deliver finished products on short notice. As a result, programmers pile together scarcely working code, which turns out to be infested with bugs and security holes susceptible to be easily exploited by unscrupulous hackers.
The companies are fine with the status quo as long as they can get away with it, but cybersecurity specialists clamor for more attention to be paid to it and security testing to be extensively exercised to tap vulnerable code sections. Yet, with the growth of vulnerability testing measures, there comes the recognition of the limitations retroactive response to security issues reveals. Experts realize that they should focus on preventing future security breaches rather than detecting the existing problems. Such an approach presupposes the integration of security factors into the very fabric of software development.
Cybersecurity through Secure Software Development
Microsoft programmers were the first to descry the fallacy of the stereotypical cybersecurity vs software development juxtaposition when these issues were considered piecemeal. Experts by Melior Games promote a totally different approach advising to teach developers ABC of writing secure code, incorporating security architects into project teams, and investing in secure development tools.
Thus, Microsoft started to change its policies. At the turn of the century, the company manifested extensive reliance on the Software Development Lifecycle (SDL) as a consistent procedure of creating complex systems beginning from requirements collecting down to system shutdown and disposal. After 2003, another SDL came into play instead – the Security Development Lifecycle that incorporated security factors into the process of coding. It is achieved via providing an entirely open codebase coupled with repeating cycles of auditing and code review. As a result, the products by Microsoft dropped from the top three software brands with a high security vulnerability.
Evidently, this approach works, beckoning to other developers to follow suit. How is it executed in practice?
Cyber security specialists aren’t exactly expert programmers. They are rather a breed of white hat hackers who sift through code searching for vulnerabilities and bugs. While doing this, they pay primary attention to security requirements for the software employment, the expected user base, the data access that is likely to flow through the software in question, and the underlying technologies and languages in use.
Focal Aspects of SDL Implementation
There are two approaches to practicing SDL. The first presupposes introducing cybersecurity stratagems at the design and testing stages. This waterfall development model is quite efficient in implementation, yet it leaves almost zero opportunities to affect the software after it has been deployed.
A more viable method consists of incorporating security protection steps at each phase of the iterative coding cycle, which allows to identify and doctor any possible vulnerability.
Whatever approach appeals to the SDL team, the key security aspects they implement are pretty much universal.
- Authorization and authentication procedure. The security control mechanism in this area presupposes the introduction of a system that requires re-authentication (or multi-component authentication), as well as file, database, and resource permission if the user wants to change identity.
- Data validation. This technique establishes a centralized validation scheme that includes the transformation of data into a statutory form, usage of common libraries containing validation primitives, and employment of language level types, which allows securing assumptions on data validity.
- Cryptography. It is one of the cornerstones of SDL responsible for protecting both confidentialities of data and preventing its unauthorized alteration. It pursues other goals as well, focusing especially on data source authentication.
- Sensitive data handling. Data sensitivity is conditioned by the company’s policy, law regulations, users’ expectations, and many other factors. SDL mechanisms first identify sensitive data to further introduce file, memory, and database protection patterns as elements of the access control procedure. Cryptography has also its say in this aspect preserving both data integrity and confidentiality. To ensure data availability, redundancy and backups are included as well.
- Analysis of security effects of external element integration. An SDL team aims to expose any threats that might ensue from the integration of third-party applications into the particular software. To do that, it analyzes errors in this application together with access and compatibility issues between the app and the software in question. The ultimate goal of such procedures is to make sure that external integrations don’t affect the proper functioning of the software.
- Data back-up and recovery. It is attained via synchronization of data replication and providing nightly backup and point-in-time recovery.
In addition to these considerations, it is sensible to go through the OWASP security checklist. This foundation is a non-profit resource that aims to improve software security. It recommends paying attention to cross-site scripting and request forgery, injection prevention, broken access control, and under-protected APIs, all of which can endanger the security of your software.
Software security is one of the top concerns the contemporary IT world is worried about. Until recently, the approach to ensuring security consisted in reacting to threats and playing catch-up with hackers. A novel modus operandi involves the integration of security considerations at the stage of software development. Such a conception shows that cybersecurity professionals have a role to play in the SDL replacing retroactive mode with vulnerability prevention techniques.