We live in an age of technology and science where rapid change and continuous evolvement are the norms. Rapid technological change involves, among others, technologies like big data, the Internet of things, machine learning, artificial intelligence, robotics, 3D printing, biotechnology, nanotechnology, renewable energy technologies, and satellite and drone technologies.
The problem with this fast-paced change is that it creates loopholes for security breaches. Using cyber security as a prime example, these breaches happen daily. A data breach is when protected information is exposed to the public, whether malicious, accidental, stolen by hackers or shared unintentionally with unauthorised users.
So how do we minimise the risks?
Step 1 – 24/7 monitoring:
In order to detect data breaches immediately, organisations must have 24-hour monitoring services. Research states that most cyber security breach victims are unaware of data breaches or are notified months after the breach and it usually takes 55 days to recover. This wasted time leads to data being severely compromised, potentially causing a severe loss of revenue, a tarnished reputation and the possible loss of customer trust.
Step 2 – Vulnerability testing:
With evolving security requirements and cybercrime becoming more sophisticated, systems must be tested regularly for robustness and compatibility.
Step 3 – Training employees:
Personnel need to be trained to handle personal information, security breaches and working from non-secure environments. Trainees must be given clear, accurate and actionable advice that focuses on the latest trends and technologies.
These steps help to identify and monitor the environment and its vulnerabilities regularly, with a constant hands-on approach that will mitigate the risk of a cyber security breach.
We will now dive into securing the Software Development Life Cycle (SDLC) and the benefits thereof:
The cost will be lowered by either eliminating security flaws or detecting defects
Architecture and design flaws will be removed before they are published or deployed
With secure methodologies, stakeholders won’t pressure software releases at the cost of security flaws
Software performance improvements
Reduction in business risks
Increasing customer trust and loyalty
Ensure ongoing compliance with laws and regulations regarding security
Best Practices in Security
Concept and Planning
This is a crucial step, as here we define the project's security requirements and compliance goals. Security requirements should be incorporated into every stage of software development. As part of planning, all weaknesses and potential security gaps should be identified and correctly handled. We need to measure how specific processes behave and operate by setting constraints.
A selection is made on secure SDL methodologies that suit the project or build. Adequate security and vulnerability training must be given to the project team members. Lastly, the allocation of required resources with the necessary skills and knowledge in application security.
Architecture and Design
Secure software development principles and techniques supported by design and code architecture reviews, should be conducted to ensure best practices and zero security flaws creep into the development and design.
A secure multicore software design must be implemented, and access rights and roles must be appropriately defined. Third-party software for vulnerabilities or security hazards must be inspected and researched. Cyber-thread modelling defines possible security breaches and aids in setting up counter measures within the solution architecture.
Implementation
Adhering to security principles and the implementation of coding routines is essential. Up-to-date and secure libraries and frameworks can be used to avoid middleware issues, vulnerabilities and data leaks. Only trusted vendors that are supported should be used.
Databases should be appropriately configured and protected to prevent or reduce any form of data breach. We use encoding and escaping methods in the coding techniques to avoid malicious code.
The use of validation on inputs syntactically and semantically ensures that the code is consistent, readable, sustainable, efficient and safe, ensuring no incorrect inputs are accepted. It is important to adhere to strong password requirements and implementation of cryptography, session and cookie management, multifactor authentication, password recovery and security token management, to name a few.
When authorising user requests, we need to use access-control methods: Attribute-Based Access Control, Mandatory Access Control, Role-Based Access Control or Discretionary Access Control. Extra protection is required for sensitive data, so we need to encrypt this data in transmission, in secure data storage, etc. Encrypting sensitive data at rest is also important.
Regular manual code reviews and code scanning must be performed to ensure security is dealt with. Static code analysis is required to spot access violations, mathematical errors, memory leaks or array overruns and endless loops. Requirement-based testing is of the utmost importance and should never be compromised. Team members must abide by the security habits required and the basic data protection measures at the respected team level.
Testing and bug fixing
A rigorous dedicated QA (Quality Analysis) is required to create test plans and scenarios to discover and exploit application errors. Consistent and continuous QA testing and bug-fixing documentation are critical. Different testing approaches or alternative methods are used to ensure the highest code quality.
Release and Maintenance
There is a constant requirement to improve software security features to keep up with the ever-evolving security requirements. Logging must be enabled to spot incidents and response times, and to keep track of any unusual software behaviours before they evolve into a data breach.
Security checks and diagnostics must occur regularly, to ensure data and security integrity. Exception handling is a crucial requirement to maintain system sustainability.
End of life
Providers do not support projects and the software at this stage. All data must be protected, retained or terminated, depending on the client's requirements.
Maintaining a secure SDLC requires rigorous configuration of server settings and technical software/coding details so that no software, virtual machines, server folders, files, databases, or other confidential software objects are freely accessible from the outside world. This process has to consider the whole chain of events, including the middleware involved in the development cycle, to ensure that no data breaches occur.
When using the mentioned security practices throughout the SDLC, your risk will be mitigated and significantly reduced.
Together we can prevent data breaches and enhance SDLC security by following these guidelines.
Tiaan Klopper
Practice Lead : Automation & Integration