Tips for Developers on Getting Software Security Right

Software security starts before deployment

Every few weeks we hear about breaches into company servers like the recent Equifax debacle. Millions of people had personal data stolen. The credit scoring company took a big hit on its credibility. This makes it clear that developers must change attitudes on security in software development.

“But, this all comes back to sound security development coding practices, active application scanning and testing, and integrating security into the engineering and development processes to make web applications more resilient,” Viewpost’s Chief Security Officer, Chris Pierson said in an article by the CyberWire.

Today’s developer has to be mindful of a lot more issues now that affect software security. At the same time, the need for regulatory compliance adds an urgency to get it right.

But what is software security? Unlike application security, software security is proactive and starts before deployment, according to Gary McGraw, a leader in information security. Monika Charbrotay of Synopsys wrote that “security must be built into all phases of the software development lifecycle (SDLC).”

No matter what other measures they take, every software company needs a dedicated security team to review code. Automatic scan tools that point out security issues get more use these days. And most software product teams do security scans in process.  As part of the development life-cycle, processes can be configured to run certain types of security scans whenever new code is written.

We all have the same goal: catch anything before it gets to the customers. That puts code review on the front burner. At this point, the security team starts with known issues. They use manual and automated testing methods.

This only works if the team keeps up to date on emerging security issues. Make checking the OWASP site for the latest standards and security problems a regular part of the software product team’s work.

Among the many resources created by OWASP are three key guides:

This includes hundreds of articles about the major security issues encountered when designing or building a secure web application or web service.

This guide has articles about performing security penetration testing on web applications and web services.

This Guide covers the vulnerabilities and security mechanisms in the Testing Guide. But it also provides guidance to help you find the problems in the source code.

Third Party Software Security Issues

But it’s not only your own code that creates the potential for problems. Any developer using third party libraries needs to know what security issues those may present. Your code may be secure. But adding these libraries may add vulnerabilities to the application. And isn’t that every developer if we’re talking about third-party libraries?

The security risks don’t end with the creation of the application. Take care during deployment with the application’s configuration, where other issues lurk. Software product teams need to follow best practices for database software, web application software and server software. So now that your customer completed deployment of your software, your part in its security is over, right? Nope. Every time your team updates your software, you need to follow the same steps. Review the code, scan it for security issues and make sure it doesn’t introduce new problems. And check that your updates don’t create new security problems in deployment.

A good software product team keeps up to date on the other software used to make sure their own code isn’t affected.

Bug bounties made the past several years interesting. Instead of a dedicated security team paid a fixed amount – at salaries around $100,000 plus – they encourage other people to do research into their software to find bugs. These independent testers only get paid when they find a bug. Companies like Microsoft and Google may pay large sums depending on the bug found.

“It’s definitely no substitute for having dedicated security professionals,” according to one developer.

He stressed the importance for software companies to have a security disclosure process. If someone finds a major bug in your product, you want that person to tell you before going public. That keeps the public from being at risk, especially for industries such as financial and healthcare where regulation has an even higher importance.

Make Sure the Analytics Platform Inherits Your Security

Izenda aims to inherit existing security models and sit behind your application’s authentication process. Check out our platform’s integration model to see how.

One Comment

Leave a Reply