Improve software quality by paying early attention to application security
There are a number of strategies enterprises are taking to keep security on pace with faster development cycles. These include earlier code reviews, leveraging PaaS with built in security, and using cloud services for static and dynamic security analysis.
Leading enterprises are beginning to leverage secure coding practices and tools to address security concerns earlier in the software development lifecycle. "There are fewer security issues with organizations that incorporate secure coding early in the lifecycle," said David Lingenfelter, Information Security Officer at MaaS360 by Fiberlink.
Development and deployment happens so quickly with most cloud offerings that if security is not incorporated at the beginning of the development lifecycle, the code is released and security testing continues, finding issues that then need to be fixed. "This leads to the second major difference, with companies that don't incorporate secure coding practices having to release more security code fixes than product enhancement code changes".
Implementing secure code reviews
One good practices is to execute secure code reviews from the beginning. This can help to mitigate some of the threats of new vulnerabilities, whether it's with sanitizing data or validating input. This can also help the development team establish an appropriate set of secure coding practices helps to minimize exposure points. In addition, with a secure coding practice, the discovery and review of new vulnerabilities is not going to be an afterthought.
There are fewer security issues with organizations that incorporate secure coding early in the lifecycleDavid Lingenfelter, Information Security Officer at MaaS360
Cloud applications and services are extremely competitive and the nature of the cloud is to be able to change and adapt quickly. This requires making changes to the cloud service quickly to stay on par or one step ahead of the competition. "One big challenge is that the nature of security is that of increased overhead, as it adds to the development cycle", said Lingenfelter.
This can be a bigger challenge in established enterprises. The ability to get security integrated after the project has been started, and possibly even in production, is extremely disruptive. This is because initially there could be a lot of findings that need to be fixed, not just in the code, but in the process in general. Management buy-in is required to address the realization that that adding security to the development lifecycle will adds some bumps in the process. It may slow down or stretch out some of the elevation cycles. Don't try to implement all security practices at once, but phase them in over time.
Outsourcing security to a PaaS
"Even if you get developers to take it seriously, what are the first things that get pushed later in the cycle if you are crushed by deadlines?" asked Sean Allen, Director of Product Strategy at OutSystems, a PaaS provider. "If it isn't simply in the routine, it gets skipped because you either don't have time, don't think it is serious, or don't want to be distracted by criminally 'unfun' wastes of your talent."
One approach is to consider adopting the right rapid app delivery platform. This helps meet deadlines and can handle most of the mundane aspects of creating secure apps. Modern RAD platforms automatically weave security into the apps that are created.
"With the right secure cloud-based RAD platform offered as a PaaS, you set yourself up for ultimate success," argued Allen. "Not only are you starting with a secure foundation, but the applications that you create have security contemplated from the beginning."
Using code analysis in the cloud
Until recently, organizations wanting to secure their applications had to buy expensive software packages and install them in-house. "Today, things like static code analysis, dynamic code analysis and web application security testing are available as on-demand services through the cloud", said Brian Russell, an engineer who focuses on cyber-security solutions for Leidos, a national security, health and engineering solutions company. He also leads the Cloud Security Alliance's Secure Internet of Things initiative.
Traditional software assurance vendors such as IBM and HP offer this service through their AppScan and Fortify product lines, respectively. There are also newer options using crowd-sourced experts that review code and provide reports on bugs that were found. BugCrowd is a great example of this. "These services mean that organizations can effectively outsource these critical security functions, although it's important to point out that maintaining in-house secure software development expertise is still required," explained Russel.
Different activities across the SDLC
A good practice is to map security activities to each stage in the cycle, suggested Russell. In the software design phase, make sure to perform threat modeling to identify the high value areas of code, understand the data flows, and gain an understanding of how someone might misuse the application.
In the development phase, make use of secure development best practices such as code security reviews. "It's also good to adopt practices like pair programming, which offer both functional and security benefits, especially if there has been an investment in training developers on secure coding practices," added Russell.
As new code is moved into the integration phase, make use of continuous integration (CI) software to integrate code and test for security bugs on a regular basis. This is a good point in the SDLC for the use of cloud-based software assurance services, many of which interface directly into the CI environment. There are also services such as those provided by Veracode that perform static analysis on binaries versus having to provide the full code-base. As web applications are deployed, continue to use cloud-based services that regularly scan for vulnerabilities in the running software.
"Security infrastructure that goes along with the software shouldn't be bolted on at the end," Russell cautioned. "Network firewalls, web application firewalls and identity management systems should be part of design from the initial architecture and implementation." Traditionally it has been difficult to deploy this security infrastructure in development environments due to the cost involved with these security appliances.
Security vendors are starting move away from the high capital cost of a security appliance towards rapidly deployable and flexibly priced virtual security appliances. This allows security to be part of the development process from day one in the cloud. As the developers write the software and build out the system, the virtual security rings are already in place as virtual security appliances. "Be sure to work with security vendors that support a true, dynamic cloud environment where security infrastructure can seamlessly and affordably be stood up to support the full software development lifecycle," Russell advised.
What tips do you have for improving the security of software? Let us know.