12/08/20 | Security
“Secure by Design” – Weaving security into the development process
Developers creating software and applications for today’s businesses have a wide range of things to consider – from responsive design and accessibility, through to security. Add in cost and time constraints, and it’s easy to see why sometimes security can be overlooked or outright ignored until the end of the project.
“It can be hard to prioritise security when everything seems to be working fine and the business wants you to be delivering flash new features,” says Nick Malcolm, a former software developer and Senior Security Consultant for Aura Information Security.
Yet with security breaches increasing in number and severity, particularly in New Zealand and Australia, it’s more important than ever for security to take centre stage in the development process.
“Any organisation is vulnerable to a breach, large or small, public or private – and the risk is not just related to the work of malicious attackers either! We can inadvertently make mistakes which cause security incidents. That’s why developers need to think about security early on, and throughout the project.”
Cyber criminals will take any opportunity to extract login credentials, credit card information and personal details – that’s why it’s important to protect your users and their data by preventing vulnerabilities from being introduced and then proactively identifying and responding to incidents if they happen. The best way to do that, says Nick, is to embed security into the development process early on.
“If you are leaving security till a security test at the end of a project, it’s often much harder to fix those vulnerabilities or flaws. In some cases, you may need to spend a significant amount of time rewriting code, which just adds more delays and unnecessary workloads.”
Taking a Secure by Design Approach
Nick says one of the best ways for development teams to bring security into focus early on is to utilise a “Secure by Design” approach – something he has seen used successfully with many of Aura’s development team clients.
“Secure by Design sees a security expert embedded into one or more development teams, to help ensure security considerations are factored in throughout the project.”
Nick adds that this method also aims to upskill all members of the development team as the project progresses.
“The aim is that eventually teams will become security self-sufficient, learning by example to develop their own best practice. “
A core part of the work Nick does alongside developers is implement pragmatic initiatives like threat modelling, peer code reviews, advising on security tests, providing input on architectural decisions, and improving deployment pipelines.
“We also advocate on the team’s behalf to the wider business so that they understand why investing in security is an important part of delivering value to customers,” says Nick.
So, what advice does Nick have for developers looking to improve their own security practice? Here are three great places he thinks development teams can start.
- Get familiar with the “OWASP Top 10 Proactive Controls”
“Many developers are familiar with the OWASP Top 10 Risks, but OWASP also shares ten ways to proactively spot and avoid security issues. These are the foundational building blocks of a secure application and should be part of any project.”
- Automate security tests and checks wherever possible
“Automating security-specific tests will help prevent you and others from deploying vulnerable code, now or in the future. Remember not to just test the ‘positive cases’, where things are expected to work, but make sure that the ‘negative cases’ return the correct errors too. “
- Repeat the mantra – “What are we building, what could go wrong, and what are we going to do about that?”
“It sounds basic, but by getting into the habit of thinking through the security risks and building your software to avoid them, eventually it’ll be ingrained. You’ll be saving yourself, your team and your client from having to spend extra time and effort fixing security bugs or responding to incidents.”
Learn more about how the Aura Information Security team can support Secure by Design practices in your organisation – click here.