Security professionals need to get involved in application development lifecycles as soon as possible, according...
to Becky Pinkard, director of security operations center at education firm Pearson.
“Ideally, security professionals should be involved from the concept stage to ensure applications are secure by design from the very foundation,” she told Computer Weekly.
Many organisations fail to adopt this approach because of commercial pressures to bring new app-enabled products and services to market, driven largely by demand from mobile device users.
This is a trend Pinkard has observed in the past 18 years at several large, multinational organisations.
“Just as businesses moved online, they are responding to customer demand to deliver that experience on smartphones and tablets as well through apps,” she said.
The increased use of apps in business highlights the importance of embedding security in the systems development lifecycle to minimise vulnerabilities to meet data protection regulations.
Why businesses neglect security
Read more about Infosecurity Europe 2014
But because business is often led by consumer demand, instead of working ahead to anticipate that demand, application development is typically rushed and security gets missed out.
Another common reason security is often neglected, said Pinkard, is the existence of niche pockets of expertise in global organisations.
These teams may be new to the business, they may be contractors or they may be young and inexperienced, focused on getting the job done as quickly as possible.
“For these reasons they may not think about all the parts of the business they need to incorporate into the development of an app, and so apps get created and published without security being involved,” she said.
Addressing security shortcomings
Pearson is tackling this issue by working to identify the project initiators and managers in the organisation to get involved in the development lifecycle as early as possible.
“We want to make sure that security is thought of right from the very start by helping developers to code securely so that everything is secure from the foundation,” said Pinkard.
Another benefit of the early involvement of security is cost, she said, because it typically costs much less to add security controls early on in the development process than towards the end or after initial release.
“Studies have shown that it can cost many thousands of pounds more to add security controls at the end compared with doing it at the start,” said Pinkard.
Unified corporate structure
This approach is much more difficult if businesses are run in a disparate fashion, with different business units reporting to different executives.
For this reason, Pearson brought all of its lines of business under a single corporate structure from January 2014.
“This is making it much easier to locate the different development teams and bring them all into a single method from running their projects that is aimed at ensuring security is there from the start,” said Pinkard.
In developing that single project method, Pearson is adapting various different industry guidelines such as the best practices published by the Open Web Application Security Project (Owasp).
But this is work-in-progress that needs to evolve continually. “Once you get the wheels in motion, they are living, breathing things. You can’t just put a tick in the box and say it is done,” said Pinkard.
Just like security policy, she said a secure development lifecycle should be reviewed continually to ensure it is kept up to date, that it is being enforced consistently and that it is working properly.
Read more about application security
Since starting a concerted effort to tackle security issues around application development, Pearson is making progress in identifying all the applications in the organisation.
“Creating an inventory is an important first step, but is typically a laborious challenge for many organisations, particularly those that have developed organically over time,” said Pinkard.
This means few organisations know everything they own or that they are working on at any given time, and that it is not always easy to identify who owns projects or who is responsible for their maintenance.
Once an inventory has been drawn up, the next step is to assess the security exposure of each of the applications identified, which means conducting a testing process for each.
“This helps understand the scale of the problem, create measure of urgency for the remediation of the problem, and set priorities using a risk matrix,” said Pinkard.
The next step is for organisations to find and assign resources to resolve the issues that have been identified.
“A common challenge in most organisations, however, is being able put all this information together and relate that to the business in such a way that they can help allocate the right resources,” she said.
Pinkard believes the best way of doing this is by identifying the revenue associated with an application, how many customers it affects and the risk in terms of the reputational damage a security failure would cause.
“This helps focus thinking and helps the business make the best decision about allocating resources to resolve specific security issues,” she said.
But Pinkard believes information security practitioners have come a long way from telling the business what it cannot do, to realising that security needs to help the business to achieve its aims securely.
“As more security professionals realise this, they will help more people in the business to realise the same; because security should be integral to all that businesses do in the digital world,” she said.
Pinkard is to take part in a panel discussion on the "applification" of business and implications for security at Infosecurity Europe 2014 at Earls Court London, 29 April to 1 May 2014.
She will be joined by moderator Ian Bryant of the Trustworthy Software Institute and fellow panelists: Adrian Asher of Microsoft’s Skype division; Marcos Placona of Web Reservations International; and Simon Bennetts, from Mozilla.