Best Practices for secure Software Development

By

image : OpenSense Labs
Are you aware of the  Solarwinds attack in 2020? The hackers exploited software vulnerabilities of Orion IT monitoring and management software used by thousands of enterprises and government agencies. This hack triggered a larger scale supply chain incident which affected thousands of organizations, including the U.S. government. The attackers infliltrated the Solarwinds network, and infected the software used for Network monitoring before it shipped to customers.This insident and many more warn us on the importance of building secure software. 

Secure software development is a methodology used for creating robust software by incorporating security practices into every stage of the software development life cycle (SDLC). It begins at planning stage before a single line of code is written, and continue through the life cycle. A bug fixing at implementation stage cost six times than fixing it during design stage.

Every new feature added, may carry series of vulnerabilities for hackers to exploit. Therefore,  security is an important element in the software engineering process. Secure software development emphathises  employing of static and dynamic security testing throughout the software development life cycle. This requires in including security testing procedures along with software functionality testing in specification, design, development, testing,  implementation and maintenance.

An organization needs to establish a secure software development policy, providing applicable practices to follow to reduce the risks  during software development. This policy needs to provide detailed guidelines and procedures for each of the phases in the SDLC.

The development team members need to clearly understand their duties, receive training, and undergo screening. 

The software development process need to segregate duties to ensure that no one person has total control of a project. 

Measures to be taken to protect the software, by seperating development, testing and operational environments to prevent test bias and unauthorized code modifications. 

The access controls to the software development process, need to ensure principal of minimal previlages. The employees should only given access to their job-relevant data. The higher previleged user access should be monitored and reviewed on zero trust policy. 

The code must be stored and managed in secure repositories. A good version controlling system need to track all sources and times of code alteration.

Coding languages, as well as third party components can contain many vulnerabilities. Therefore, secure software development policy should create the governing rules for programming languages and secure coding techniques. This is aimed to reduce  attack routes. 

Organisations must implement a secure development policy by complying to SOC 2 T or ISO 27001 standards. 

The risk senarios may be specific to your organization, hence a threat modelling approach should be used for secure software development.  

Train your software engineering team to be aware of common threats and vulnerabilities, and have a check list to monitor your policies and procedures. 

NIST’s Secure Software Development Framework (SSDF), OWASP and SAFEcode frameworks help establishing a consistent SSDLC  to reduce the number of vulnerabilities in software releases.

NIST framework recommend secure software development into four stages:

Prepare the Organization (PO): 

Ensure that people, processes, and technology of your organization are  prepared to perform secure software development in each individual project.

Protect the software (PS): 

Protect all components of the software from tampering and unauthorized access. This includes fresh code, libraries and third party components.

Produce Well-secured Software (PW): 

Ensure that software released  has minimal vulnerabilities. 

Respond to Vulnerabilities (RV):

Identify vulnerabilities early in software and respond promptly, and ensure to prevent similar vulnerabilities from occurring in the future.

Document your practices:

Brief statement of the practice, with a unique identifier and an explanation of why it is important.

Task: List individual actions needed to accomplish the practice.

Implementation Example: provide a scenario where the practice could be demonstrated.

Reference: map the practice to a particular task.

Software development best practices.

1. Think security from the beginning

Before creating a single line of code, begin planning how you will integrate security into every phase of the SDLC. Use automated testing and monitoring of vulnerabilities from day one. Your culture of coding should  follow security first approach. Never leave any bug to fixed tomorrow.

2. Create a secure software development policy

Provide clear guidelines for preparing your people, processes, and technology to perform secure software development. 

3. Follow a secure software development framework

Use a  proven framework like NIST SSDF to add structure and consistency to your software development best practices. 

4. Design software to meet security requirements

Always evaluate your software design approaches with threat models. 

Clearly define all security requirements, and train developers to write code in alignment with these requirements.  Do not create opportunities to attacks through your software.

5. Protect code integrity

Keep all code in secure repositories. Only allow authorized access to prevent code tampering. Regulate access, monitor changes, and closely oversee the code signing process to preserve integrity.

6. Review and test code early and often

Examine your code with automated testing and developer reviews.  Detecting vulnerabilities early will save you from costly bug fixing, and time.

7. Mitigate vulnerabilities fast

Vulnerabilities are inherent in software development life cycle. Plan to address incidents in real-time. Faster you identify and respond to vulnerabilities, shorter the time available to hackers to exploit your vulnerabilities.

8. Configure secure default settings

Configure default settings for higher security levels. 

9. Use security checklists

Create a check list for security testing and test them at periodic intervals, and record results.  

10. Be proactive

Study vulnerabilities to learn their root causes to prevent repeatitive occurrences. Document your findings and learned lessons. 

Niranjan Meegammana 


Comments

  1. brightrockJanuary 24, 2023 at 4:30 PM

    Thanks for the informative post! I have been looking for information on formation iso 27001 andthis has helped me understand it better. Thank you!

    ReplyDelete

Post a Comment

Popular posts from this blog

The 7 Layers of Cyber Security : Attacks on OSI model

By
Image
Source : wallarm The OSI network  communications model is made of  7 layers. Each layer  handles a specific process to enable reliable communication between two or more devices. When the Internet was designed, its focus was on ensuring of reliable communications. The challenges of communication security emerged later.  These 7 layers act like a chain of links. If one lnk breaks, the whole chain of communication breaks. Hence security threat can happen at any of the 7 layers.  These layers are named as Application, Presentation, Session, Transport, Network, Data link and Physical layer. The application layer is your email application, physical layer is your communication cable, and everything else is in between help you communicate. In abstract the application layer provides user interface, while presentation layer handle formating, encoding and encryption. The session layer manages connections. The transport layer handles segmentation, sequencing, and establishi...
Read more

ISO 27001 ISMS in a Nutshell

By
Image
Image : ISO The ISO 27001 certification is the most comprehensive  information security standard recognized globally. It ensures standardizing of your organisation's information security strategies to ensure confidentiality, integrity and availability of your systems and data to conduct your business effectively.  Gaining the certification is a journey with several milestones. It is a carefully planned systematic activity that transforms an organisation to a secure entity,  where everyone becomes a stakeholder in information security. Follow this processes to get to your goal successfully. Step 1. Obtain Management Support . This is the most critical requirement to achieve ISO 27001 status. Your ISMS project will definitely fail if it does not receive to management support. The management should provide, people, money and strategic direction for your ISMS to be a success story. In the sections below you’ll find some tips on how to convince your management, and how much th...
Read more