Logo Header Menu

What to know about software development security — why it’s still so hard and how to tackle it

Rod Cope, CTO at Perforce Software, explores why software development security is such a challenge and what organisations can do to improve it What to know about software development security right now image

The right software security practices can prevent many future security problems, and there is an increasingly realisation that software development security needs a cradle-to-grave approach, not just focusing on solving problems once they become apparent.

There is still a long way to go and no-one can claim this is easy to address: the increasing complexity of modern software development environments, not to mention the sheer volume of code and other digital assets being created, often in continuous, fast-paced environments, exacerbates the challenge.

Also, security has traditionally not been hard-baked into the mindsets of developers, who are focused on creating beautiful code. That is changing, with DevOps becoming endemic, bringing in its wake DevSecOps and a realisation that software needs monitoring at every stage, together with the ‘Shift Left’ movement — where developers take on responsibility for tests at an early stage.

However, keeping up with all that effort requires more automation, with testing and code inspection tools that carry out as much of the work as possible in background mode. Software developers do not have the time – and probably not the inclination — to become testing experts.

Does software quality equal software security? It depends

Software quality and security assurance both concern risk to the organisation, but they do so for different reasons. Read here

Sorting through the noise

There are some caveats here: automation is great, but not if it just creates a huge volume of test data noise. What matters is to focus on the tests that will have a real business impact and to combined automated continuous testing with smart analytics. We are beginning to see machine-learning being built into automated testing tools and while it is early days, it is going to make a big difference in the future.

Some markets — particularly compliance-driven or safety-critical — are also adopting coding standards, guidelines that give developers confidence they are building safe, secure and compliant code.

Coding standards are particularly relevant for some of the more complex programming languages — C++ in particular — which while introducing unprecedented scope for innovation and flexibility, also allow for more interpretation, which can lead even the most skilled developer to inadvertently introduce an error. Again, automation is key, especially for huge codebases and complicated embedded software projects, so static code analysis is increasingly introduced to reduce manual effort and associated risks.

IBM says automation is the next big step in cyber security

The fourth IBM cyber security survey has revealed how unprepared companies are for a cyber attack. How can they remedy this? Read here

Open source security

Open source is just software and therefore has security issues and bugs just like proprietary software. For example, OpenSSL is perhaps the most used open source security software in the world, yet still occasionally has critical issues. This means careful management and support is a necessity for open-source, not just a nice-to-have. Another example is Git, the widely-used version control tool, but enterprises have more sophisticated security requirements than the open source community designed into this developer-focused tool.

Another factor to consider is that open source is low-cost to acquire and often bypasses procurement, so therefore flies under the radar. Organisations need to find ways to ensure that Git and other open source software complies with company security policies.

However, successful open source services (OSS) policies require more diversity in expertise, the costs of keeping up may tempt corners to be cut, all of which contributes to potential security issues. To deal with this, there is a growth of OSS providers, but choose wisely: inconsistent SLAs across different components in the stack, lack of clarity around responsibilities, and too many vendors involved, or not being able to adapt fast enough to the latest technology introductions.

The comprehensive IT security guide for CIOs and CTOs

Information Age’s IT security guide for CIOs, covering everything from how to implement an effective cyber security strategy to how to respond to the security skills crisis. Read here

Application security

When it comes to securing applications, consider threat modelling, a process that identifies but also prioritises potential threats from an attacker’s perspective. Questions to ask might include: what kind of data would an attacker be seeking? One popular threat model is STRIDE, which can be used in tandem with the DREAD risk assessment framework: this helps work out how likely is the threat to happen, the threat’s potential consequences, and whether the risk can be tolerated.

For web applications, the Open Web Application Security Project Foundation, has published its top 10 list of the most common and critical security risks and this is an excellent reference source. Each threat is ranked by its agents, exploitability, prevalence, detectability, technical impact, and business impact.

The top 10 OWASP help with API security, too. There is a shifting emphasis towards securing them at every part of the lifecycle, starting with the development stage. Once an API is published and a problem arises, there is little or even no time to take remedial action. In the same way that any new website is likely to get multiple attacks within launch, the same applies to APIs.

How can organisations take advantage of the API economy?

The API economy is growing rapidly. How can organisations take advantage of it — both internally and externally — to break down silos and accelerate innovation? Read here

Improving API software development has to start with culture; people need to be aware of their roles in mitigating risk and prioritising security. This applies to both internal and external contributors (who may have little development expertise — anyone can build APIs). Putting in place processes that can be automatically and consistently enforced across all current and future APIs helps enforce good security practice, as will an API gateway (but choose one that supports multiple API types).

There are some recurring themes here: getting the right cultural attitude in place, automating as much as possible, and having sight of the bigger picture. That last point is an important one: visibility into other people’s work and their impact in a development project goes a long way towards better security.

Software is becoming more complex, with bigger codebase and types of asset: the security threat landscape will grow too, so taking a multi-faceted approach to a more secure development environment needs to be prioritised.

Written by Rod Cope, CTO, Perforce Software

Sign up for Information Age Newsletters

Latest news

divider
Releases & Updates
M&A value in enterprise software stays high, despite activity cooling down

M&A value in enterprise software stays high, despite activity cooling down

4 February 2020 / According to Hampleton‘s M&A market report 1H 2020 for Enterprise Software, trailing 30 month median [...]

divider
Automation
7 key RPA trends for 2020: from AI enabler to more strategic scaling

7 key RPA trends for 2020: from AI enabler to more strategic scaling

4 February 2020 / What are the key RPA trends for 2020? 1. Greater RPA vendor differentiation insights will [...]

divider
Cybersecurity
Microsoft Teams experiences outage due to outdated certificate

Microsoft Teams experiences outage due to outdated certificate

4 February 2020 / Users of Microsoft Teams went without the program for almost three hours before Microsoft eventually [...]

divider
Releases & Updates
Micro Focus chairman steps down after 15 years at the helm

Micro Focus chairman steps down after 15 years at the helm

4 February 2020 / The Micro Focus chairman, Kevin Loosemore, has announced that he will be stepping down. Loosemore [...]

divider
Releases & Updates
Attacks on web applications up by 52%, says SonicWall report

Attacks on web applications up by 52%, says SonicWall report

4 February 2020 / Over 40 million attacks on web applications were detected and addressed in SonicWall‘s 2020 Annual [...]

divider
Major Contracts
RWE AG selects Avanade to establish new Microsoft infrastructure

RWE AG selects Avanade to establish new Microsoft infrastructure

4 February 2020 / The new Avanade infrastructure about to be leveraged by RWE AG will be based on [...]

divider
Business & Strategy
Moving Yammer to the cloud: building a scalable and secure service mesh

Moving Yammer to the cloud: building a scalable and secure service mesh

4 February 2020 / At HAProxyConf 2019, Tobias Haag, software engineering lead from Yammer at Microsoft, presented a talk [...]

divider
Releases & Updates
Tech market growth rate in UK to fall below zero, predicts Forrester

Tech market growth rate in UK to fall below zero, predicts Forrester

3 February 2020 / This would mean that the UK will be one of four countries with a negative [...]

divider
People Moves
James Murray joins Workfront as EMEA managing director

James Murray joins Workfront as EMEA managing director

3 February 2020 / James Murray has been appointed the vice president and EMEA managing director of Workfront, the [...]

Do NOT follow this link or you will be banned from the site!

Pin It on Pinterest