Insecure by Design
With last year's pandemic, we observed many organisations needing to quickly adjust to providing enhanced online shopping facilities for their customers. The problem with doing this so rapidly (to ensure that they could continue to serve their customer base) is that priority was likely to be on functionality and the customer experience.
Frequently, software developers are regarded as something of an enigma in business, creating magic experiences through their written code. However, that is until their magical code contains hidden vulnerabilities, that are picked out by the cyber criminals.
Something that software developers are very good at is aesthetics, functionality and enhancing the customer experience. However, something that is somewhat lacking and foreign to them is the concept of 'Secure by Design'.
This may not be the software developers' fault!
If you look at the content of the majority of software developers courses, there is very little inclusion of the 'Secure by Design' requirement. Ask any newly qualified software developer on how much of their training had a focus on the threats, risks and securing their software development practices and I would be surprised to hear if they had received more than 2 weeks training on the subject.
Keep Calm and Let It Go
You might be thinking that compromised software is just an accepted part of having an online presence and that both businesses and consumers need to just accept this.
This is just wrong!
Would you find it acceptable to go into a shop and to be mugged?
No, you wouldn't!
In a physical store, 'Secure by Design' practices are applied during the design phase of the store:
Lockable display cabinets
Much the same as a physical store would not open for business without having identified the threats, vulnerabilities and impacts, to ensure that appropriate security measures have been applied, to reduce the risk to within acceptable tolerances, the same should be considered as normal business practices.
Secure by Design
In a physical store, you would not expect the shopfitters or architects to only be focused of the functionality of the store, without any consideration for the security requirements.
As identified in NIST's recent white paper (Mitigating the Risk of Software Vulnerabilities by Adopting a Secure Software Development Framework (SSDF)), the modern online business should consider the benefits embedding security into the design, creation and maintenance of their software and applications.
Example of SSLC frameworks
Reducing the Attack Surface
If you think of today's cyber criminals as being like vultures. They are opportunists, who constantly fly around cyberspace, looking to identify the most vulnerable businesses.
Poor software development practices have become a lucrative target for these criminals, allowing them to gorge themselves on those who fail to identify those embedded exploits, which are introduced into the live environments.
By adopting and aligning to a suitable SSDLC framework, you will ensure that the talents of your software development team are enhanced so that functionality is balanced with security. This will ensure the longevity of your digital presence and the protection of your consumers/customers sensitive data, and as a result their trust.
Most software development life cycle (SDLC) models fail to explicitly address software security in detail and, as a result, many software development teams are focused on the functionality of their software development activities and have not received sufficient exposure and training on the 'Secure by Design' practices.
The adoption of a core set of high-level secure software development practices called a secure software development framework (SSDF), integrated within each of your SDLC implementations will help to facilitate communications about secure software development practices amongst your business owners, software developers, project managers and leads, and cybersecurity professionals.
The adoption of effective SSDLC practices can help to ensure that software producers:
Reduce the number of vulnerabilities in released software,
Mitigate the potential impact of the exploitation of undetected or unaddressed vulnerabilities, and
Address the root causes of vulnerabilities to prevent future recurrences.