With National Cyber Security Awareness Month well underway this month with the goal of raising awareness about cybersecurity and increasing the resiliency of the nation in the event of a cyber-incident, this week we’re continuing our series of tips aligned with each of the various focus areas of the campaign by looking at the secure development of IT products.
In today’s cyber world, no IT product can go to market without addressing security to one degree or another. Industry best practices dictate that any IT product go through a rigorous Software Development Life Cycle (SDLC), where security concerns are addressed early and often throughout the SDLC process. Organizations that are vigilant about maintaining the highest levels of quality control throughout the SDLC process ensure that their products gain market share and sustain consumer confidence. In today’s business world, technology has certainly changed the way we do business, but the business will always drive the technology that supports the business.
Government agencies are no different than commercial businesses in that they too provide a service to their customers (the public) and are quite similarly compelled to provide those services efficiently, effectively, and economically. However, the major difference between a government agency and a commercial business is that a commercial business is ethically compelled to offer a secure service in order to ensure its viability in the marketplace; the U.S. Federal government is legally compelled, by presidential directive, to provide secure services in the name of enduring constitutional government.
For the most part, however, companies lack definitive sources of information from which they can learn or use as an SDLC guideline. Until there is, all companies can do is develop their own SDLC methodologies derived from the best of an assortment of published SDLC methodologies in the industry.
Here are five principles that IT product developers need to embrace in order to develop secure IT products:
1 – Understand the Business Requirements
Any project, no matter what the industry, begins with requirements. When business owners search for IT products, they are seeking a product that will support the business services they provide in order to be competitive in their target market and grow their business. IT product developers must understand the requirements from a business perspective in order to choose the security controls that most adequately satisfy the business requirements. Once a developer understands the business constraints the organization needs to operate within, the developers can then recommend the necessary security controls that will help ensure that the organization’s assets remain secure.
2 – Develop a Functional Design Document that Addresses Security throughout the Specifications
In a functional design document, product objectives are stated by the product developers to address the business requirements. The product objectives define the intended architecture, and any rules, regulations, and guidelines to which the product must comply with. The functional specification is the documented artifact that satisfies compliance with the stated product objectives. The functional specification is a formal document used to describe in detail for software developers a product’s intended capabilities, appearance, and interactions with the end users.
3 – Secure Technical Design
All the technical assumptions should be identified and documented in the technical design document. The use of “misuse cases”, which capture the type of attacks that can be made on the system and how the system should behave in such situations, is a relatively new approach, but it will go a long way in addressing the security requirements of an application. Threat models capture the security strength of a system by identifying threats and vulnerabilities and helps in providing a more accurate sense of security of the system. Encryption details such as encryption algorithm, hashing algorithm, and key length should be identified and documented in the design document.
4 – Writing Secure Code
The most common attack vectors of cyber criminals, aside from the end user, are source code flaws in application software. Most Web Application Firewall (WAF) products on the market are signature based, and can be defeated by sophisticated cyber criminals. Advanced Persistent Threat (APT) tools may capture malicious activity within the infrastructure, but only after they have compromised the perimeter defenses. The OWASP guidelines go a long way in helping developers write secure code. Apart from the OWASP guidelines, companies should have secure coding guidelines for the technology (Java, .NET, PHP, etc.) that they use. Whereas most organizations already conduct code review, reviewing the code for secure coding guidelines is not always adequately emphasized. This can lead to vulnerabilities in the code that can be exploited by attackers. There are some automated tools available in the market to do a security code review that can help reduce source code flaws.
5 – Application & Quality Assurance (QA) testing
Vulnerability assessment, penetration testing, and ethical hacking are quickly becoming a standard practice in most industries. It helps identify a lot of security vulnerabilities in applications before putting them into production. IT product developers can leverage this testing in QA environments to strengthen their product before release. Test cases targeting security can be derived from misuse cases, as these test cases will test how a system should not behave. These test cases should be run against the application in QA environment to ensure the implementation of misuse cases. Some attack testing can then be done in order to test if a pattern can be established from the logs in the QA environment.
In summary, as you can see, there are a lot of steps that can be taken to integrate security at different stages in the SDLC. The more steps we take to integrate security, the more difficult we make it for attackers to break into our application. This by no means is a complete process, but it can act as a guideline to companies that are still searching for answers on how to build a secure design methodology according to their needs.
U.S. National Cyber Security Awareness Month Blog Series:
Week 2: 5 Tips for the Secure Development of IT Products