Why should you invest in developing secure applications?
It would be great if we didn’t need to have antivirus, which consumes our processing power; if we didn’t need expensive firewalls to protect our infrastructure; and if we didn’t have to choose between security or better user experience. Everything would be much simpler.
You can also listen to the audio version of this article:
However, our reality is different. For various reasons, it is common for someone who wants to harm or take advantage of our applications. Just as the motivations are diverse – be it selling information, gaining a reputation, or even personal revenge – so are the types of attacks.
Therefore, we need to invest in developing secure applications to protect our business against the myriad of everyday threats. Now, how to put the “S” in our development cycle?
Speaking of software design, we inherited the classic waterfall model. Therefore, there is a paradigm that secure development is nothing more than adding a security step to the project. Is this what it really means? No.
We need to break with this paradigm that security is a project phase. After all, this way is not efficient, it generates rework and the risk remains high due to deadlines and the like.
How to do secure development the right way?
When we talk about secure development best practices, we’re talking about applying security across the entire development stream. Just like having quality software is not just the responsibility of an area – for example, Q.A – Having secure software is the responsibility of everyone involved in the project.
Let’s see how the development cycle looks with security at each stage. The good news is that we are not alone on this journey, at each stage we will have references to delve into the subject.
Without knowledge we have no change. Therefore, the first step is to promote training related to security issues for the project team. So, with knowledge, the secure development journey has its solid foundations. One of the successful strategies and therefore widely used for training is the implementation of the Security Champion program. Be sure to read more about the advantages of investing in appsec training.
In the step of raising functional and non-functional application requirements, it is also necessary to obtain the security requirements, thus enriching the use cases with a security bias. A checklist that can help with security requirements is the ASVS (OWASP Application Security Verification Standard).
Design the application with secure architecture. Raise possible threats and implement appropriate protections. In this sense, the dynamics of threat analysis (Threat Modeling)is very interesting in the practice of bringing security to the left of the development cycle, the concept known as Shift-Left.
Write secure codes. But secure against what? It is important to know the vulnerabilities from which our applications can be attacked . The OWASP Top Ten is a list of the most critical vulnerabilities that happen in web applications, and knowing them we are able to protect ourselves from them. Another source to consider is the Cheats Sheets series which collects the best practices, including for some specific technologies.
The application can be tested manually. In this case, we are talking about code review, “Code Review”, and Pentest, the penetration test which can be White, Gray and Black Box. While Code Review analyzes the application’s source code to check best practices, Pentest validates the developed application in order to exploit any possible security holes. We can also do automated tests. Today we have static code analysis (SAST), dynamic application analysis (DAST) and we also classify another form of testing that is interactive, IAST.
Vulnerability management, Sast and Dast tools
Security tests applying pipeline
More about AppSec
Also to assist in the secure development journey, we can also count on the following references:
Owasp Proactive Controls, from OWASP,has ten controls that we can implement to make our software product more secure against various vulnerabilities.
The ISO/IEC 27001provides a model to improve a Security Management System in its control A.14 it possesses standards to be implemented in the development cycle.
NIST, The National Institute of Standards and Technology presents a framework for mitigating cybersecurity risks.
What can we conclude about securely developing applications?
It is important to develop with security so that our business is not harmed by the series of threats that make up our reality on the web today. AppSec is a culture, so it takes time to transform employees’ mindsets.
There is no magic solution, but for each stage in the development cycle, it is possible to bring the best security practices to deliver more robust applications that hinder intrusions and data leakage, as well as systemic unavailability.
For over 13 years, Conviso has been helping companies implement secure development programs. For this, it relies on the Conviso Platform platform, which supports all phases of secure development.