In this contributed piece for the Computer Weekly Developer Network, principal consultant Paco Hope at software risk management company Cigital explains his security-centric approach to software application development.
Security from the start
For many years I have been telling organisations of all sectors, sizes and ages about the importance of building security into software early. The simple reason is that it is significantly more expensive if you find vulnerabilities further down the software lifecycle, which is true of any software defect.
This alone hasn't been motivation enough to get everybody building security in. In this piece, I will add a new piece of evidence to the argument, one that goes to the heart of many businesses' reluctance to change what they do or how they do it.
So maybe you don't believe someone would bother with your software. Many organisations simply don't believe that cyber criminals have any reason to exploit their systems - and perhaps there was some truth to that for some firms in the past.
Today, however, cyber criminals do not care who you are or what your company stands for. If you have vulnerabilities in your software, they have real financial incentive to find it and build an exploit for it.
In recent years a very real and very large market has developed, where organisations (criminal, political or military) can buy and sell the knowledge of vulnerabilities and their corresponding exploits.
The shocking truth about hackers
A hacker may not care at all about your company, what it sells, or what happens to your company as a result of the vulnerability they find. They simply know that if they package that vulnerability with working exploit code, they can get paid real money for it. Although the money is in proportion to the ubiquity of your software (so exploits in software with smaller user bases may fetch a lower price), it's still money.
This is a phenomenon that is already happening. A prime example of this is the AT&T breach, whereby a security researcher was able to exploit a flaw in security and reveal the email addresses and details of 114,000 iPad users, including the White House Chief of Staff, Rahm Emanuel, as well as chief executives and military officials.
In this case, the perpetrator was jailed, but the point is that he was not out to make money; this was a politically motivated incident.
Had the hacker been financially motivated, he could have easily remained anonymous and sold the data to identity thieves. A few email addresses aren't worth much. But knowing that they are 100,000 iPad users on AT&T makes it slightly more valuable.
For years we've talked about creating good, solid software with the main goal of saving cost and time, but now, with the threat landscape being what it is, the incentive is to create good, secure software because there is a vigorous market and groups of people out to exploit deficiencies in your software and you will suffer the consequences as a side-effect.
Run fast without tripping
The other argument against doing it "later" in the lifecycle is that sometimes there is no "later."
Companies in fast-moving industries are growing from start up to multi-billion dollar enterprise within a matter of years. Going back and patching old software defects is simply not an option. By the time you know where your defects were, the defective version is on its way out.
Some of these companies that have experienced such rapid exponential growth are releasing new software so fast that instead of patching bugs in the software, they just completely replace it within six months. Building security in at the start allows them to retain the security lessons and propagate them into new versions.
This startup psyche is a relatively new phenomena, which has come from the birth of massive companies such as Facebook, Instagram, Pinterest and the like. There are definitely companies that, when it comes to patching software defects, think "we're moving so fast that going back to fix this is not an option."
Core design and architecture
However, if they get the key security principles right in the first place, they can run fast without tripping over. The design and architecture that you create early on will remain at the core of your business, and will be the foundation for your future.
So whether it's to keep running fast, to avoid being someone else's cash cow, or to keep traditional costs down, there are more reasons than ever to do security from the beginning, not just at the end.