You have carefully carved out the project plan for your next development project. You hired the best talent available to write the code. Every i is dotted, every t is crossed…down to project managers, unit testers, and go-live scenarios. Unfortunately, hackers, crackers, and attackers were also honing their craft all that while—some for sport, many for profit.
Expertly crafted software can still be vulnerable to security threats, regardless of platform. Consider these five steps your ounce of prevention (versus the pound of cure that would be required in the event of an exploit).
1. Identify Application Security Weak Points
Often your development team comes to you without subject-matter expertise: no one knows your business like you do. Walk through your project plan with your developers and make note of areas where data is stored and calculations are made.
Places in your software requiring the entry of a password or credit card are obvious areas of concern. Hackers are also interested in demographic data (like an address or telephone number), however, so other access points must be considered.
Think of it in these simplified terms: a skilled developer can create a beautiful and functional door for your customers to walk through (proverbially), but they may not know you need it to have a deadbolt. Do not make assumptions. What seems obvious to you may not be as clear to others.
2. Clearly Assign Application Security Responsibilities
Protect against every possible excuse before it is used to explain a lack of security. (A few common favorites include: he said/she said; I thought so-in-so was looking after that; I didn’t know who to ask; and I thought we were reviewing that later.) Identify a security champion for your team, and make sure that person knows who to approach for answers regarding workflow and impact assessment.
This champion can often multitask and serve simultaneously as project manager or lead developer, but ultimately caring about the security of your application needs ownership as much as due care and attention.
3. Establish Secure Coding Practices and Standards
By making security concerns and considerations an integral part of your application development process, you can often prevent costly code re-writes and delays toward the end of your project.
There are good rules of thumb that most developers try to follow, like properly scoping variables and limiting access to backend databases, but there is more to it. In almost all cases, there are multiple ways to handle actions within an application. Adopting your own set of best practices means that choices made behind the scenes are consistent (which is especially important if you find out years later that one method introduces risks that others do not).
Getting started is simple, thanks to groups like the Open Web Application Security Project (OWASP). Begin by reviewing their OWASP Secure Coding Practices Quick Reference Guide, which offers a glossary of terms and a comprehensive checklist of secure coding practices.
While OWASP focuses primarily on web-based applications, the same software security principles apply to all development projects. For an even broader strategy, look to other respected organizations willing to share their guidelines, like the University of California – Berkeley, which makes its Secure Coding Practice Guidelines publicly available.
4. Engage Application Security Expert Assistance
Even the most conscientious development team is going to miss a thing or two. And it’s very difficult to design effective, end-to-end security checks for entire applications. Factor in the reality that more exploits and weaknesses are being identified all the time, and it becomes overwhelming to keep track of everything.
This is where third-party analysis tools really shine. With so many analysis tools available, it makes sense to engage the experts at CodeDx. By combining a broad range of tools into a single set and normalizing the results in a way that makes real-world sense (organized by severity with overlaps removed), your team can focus on prioritizing and inoculating your code rather than spinning wheels (and losing patience) deciphering vulnerability reports.
5. Revisit and Review Your Application’s Security Profile
Your weaknesses were identified and fixed. Your code is deployed and project launched. You are done…for now. Maintaining the security of your application remains your responsibility and concern, particularly with every bug fix, product enhancement, or software upgrade.
Be sure to run regular reviews of your application’s vulnerabilities. Consider running scans annually in advance of budget discussions, in case preparations and resource allocations need to be made.
More often than not, application development projects are behind schedule and over budget before they even begin—a phenomenon that inspires the common ‘wait for a problem and fix it on the fly’ mentality. Keeping your fingers crossed may be one approach, but taking good care of your customer’s property and your reputation with application security best practices is priceless.