The theme of the second week of National Cyber Security Awareness Month (NCSAM) revolves around the secure development of IT products. As information security professionals and software developers, continuously working towards making our products safer is our shared responsibility, so how do we fulfill this duty? Industry experts revealed a few successful tips on how to assure the everyday products we use are carefully crafted to bolster security:
Make your product open source software
“The number one thing you should do to improve the security of what you’ve built is to make your product Open Source Software,” says Bill Franklin, co-founder of Lavaboom, a secure email developer.
Let’s face it: we are all human. No matter how much we may have poured over our code, we still might miss a security flaw here and there. That’s why open source software is so valuable. Also, remember that OSS is a two-way street. That means that you can and should refer to other people’s code when developing your products.
“Making use of existing Open Source security software is a good move,” said Franklin. “Libraries and protocols that have stood the test of time are going to be the most reliable part of your codebase.”
Of course, Franklin points out there are some downsides to OSS. Competing companies could steal tasty bits of your code and repackage them in their own solutions. Additionally, open source means that anyone can look at your code—including attackers who might want to exploit your networks. These drawbacks notwithstanding, there is power in a community of skilled developers inspecting your software for vulnerabilities.
Testing is your friend!
Newer IT products could very well save your company time or money but that’s not always the case. Chris Conacher, manager of security and compliance solutions at Tripwire, says, “Savings on the tools will usually transfer to cost in man hours as you will almost certainly need someone extremely well versed in application security to go through the reams of output to determine what is true or false, to continually take care of tool configuration and to make decisions on what needs fixing and how.”
With this in mind, all IT products need to be tested—and thoroughly. As Chris notes, “When working out a budget, you need to go beyond license costs to what the real cost will be based on the process that you expect to implement and the ability of your resources both from a capability and a capacity perspective.”
Adhere to a secure SDLC approach
Systems development life cycle (SDLC) refers to a process that companies should abide by when developing IT products. It requires that developers constantly refine their products’ code and check for vulnerabilities in each stage of development—a process which emphasizes secure, fully tested IT products.
There are four parts to an SDLC framework. As Conacher notes, a basic SDLC model consists of:
- Training on a set of issues (OWASP Top 10 and WASC 25 are both good examples)
- Source (static) code analysis at the unit test level performed by the developers, who pre-commit to ensure bad code does not enter the product
- System-level source code analysis to ensure that the product as a whole is secure from basic flaws
- Some level of dynamic testing (aka penetration testing)—either pre-production or in production depending on the product type to identify business logic flaws, bad design choices and/or standards
SDLC is also a useful framework for an organization that wants to ensure the security of its entire system. Lori MacVittie, Principal Technical Evangelist for F5 says, “[F5’s] developers apply secure software-development practices to everything from the kernel to the network drivers to subsystems that interface with acceleration cards to the top of the stack, where both software services and management systems reside.”
Think about incident response
We can analyze, test, and share the code of our IT products as much as we want, but even then attackers may still get in. Acknowledging this, it’s always important to have a vulnerability response team at the ready.
“A very important component for us is our vulnerability response teams that monitor for new vulnerabilities in the market,” explains MacVittie.
“These teams determine whether existing vulnerabilities are applicable or not and then recommend the appropriate response. Vulnerability response teams, along with our Security Operations Center, are focused on both the security of our own products as well as customer apps.”
Vulnerability response teams are critical when it comes to IT product development insofar as they can help keep both developers up-to-date about emerging threats and the organization informed about what their products might come up against “in the wild.”
We all want to develop the most secure IT products possible. By making our products open source software, testing often, adopting an SDLC approach and thinking about future vulnerability response, we can all deepen the security of our products and, by extension, improve users’ experience.
- How to Build Up Your Secure Development
- Are You Threatening Me? A Tutorial on Threat Modeling
- The Ever Expanding Trust Boundary: To Infinity and Beyond
- Threat Mitigation and the 20 Critical Security Controls
Check out Tripwire SecureScan™, a free, cloud-based vulnerability management service for up to 100 Internet Protocol (IP) addresses on internal networks. This new tool makes vulnerability management easily accessible to small and medium-sized businesses that may not have the resources for enterprise-grade security technology – and it detects the ShellShock and Heartbleed vulnerabilities.
The Executive’s Guide to the Top 20 Critical Security Controls
Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].
Image courtesy of ShutterStock