In the first part of this series, I covered the cost, time and benefits associated with baking security into the software development lifecycle from the beginning. In today’s post, I will discuss how and why we need to bring security into the software development testing process early on. Between 70 and 90 percent of breaches are caused by a software vulnerability, and the remaining percentage is caused by human error. In software development, security has always been an external checkpoint. But if we make security core to the process of software development we will save energy and money. Here’s one way to do it. As part of the QA process, consider running tests on the following:
- How input is handled (standard pen-testing practices such as fuzzing input, tests for SQL injection, tests for HTTP header injection, etc.)
- The application logic (e.g. test of reliance on client-side input validation, testing of transaction logic, testing multi-stage process for logic flaws etc.)
- Authentication logic (e.g. password quality rules, username inventory, resilience to password guessing, etc.)
- Miscellaneous things such as session handling, attack surface, application hosting issues, etc.
So, what could a secure development cycle look like in terms of Agile, XP or Scrum? Here is one process description that could be the framework for similar processes:
Here are the six most important factors to consider: Security of most applications and websites is faulty or vulnerable, causing potential issues and the loss of funds. According to a recent study, the average cost of breaches is approximately $3.8 million. The cost to implement security grows exponentially the later it is introduced into the process. In IoT, security is focused on even less than in app development. The vendors that are prominently investing into shielding their clients from security risks and threats will be the leaders of the new market niche. In Industry 4.0, the industrial value-generation process is based on networked machinery. The impact of having vulnerable systems or software will be devastating. Your client’s assets and your assets are closely linked. If either is affected by a breach or hack, both might be lost. There has never been a cheaper way to get ahead of competition than by implementing secure software development cycles.
Whenever the next big data breach hits, new laws and regulations will be developed and enforced. These new requirements will demand proof that security has been built into your application, software or equipment. Being able to prove that your software is secure will ensure a five-star rating, and customers will appreciate it as well.What is the downside of ignoring the additional work that is baking security into your product from the beginning? The answer is that security defects found later will cost significantly more to address.In the case of data protection and information security, negligence can damage a company’s reputation and value.
For instance, companies like Target, Sony, Anthem, and even the Office of Personnel Management, have been victims. The resulting devaluation of their shares are evident and well known.In its latest incident response report, SANS summarized the findings with the following: “These and other results of the 2015 survey show that incident response (IR) and even detection are maturing. For example, although malware is still the most common underlying reason for respondents’ reported incidents, 62% said malware caused their breaches, down from 82% in 2014. Data breaches also decreased to 39% from 63% last year. Such results hint that malware prevention and other security technologies are working in an increasingly complex threat landscape.”These results also indicate that companies have started to respond, and are fighting back in the online battlefield against malicious actors.
If your IT team is not prepared to respond, you will miss the boat. At this moment, you have a chance to be a leader. As the market landscape embraces security, the correct skill set can be hard to come by. Consider outsourcing your software development needs as a best practice to ensure that your applications have adequate levels of security built into them.
Published first here: Why Security Needs To Come First In Software Development: Part II | Shinetech Blog