Security Think Tank: Enable outcomes-based security in software development
What is the first step towards moving from a tick box approach to security to one that is outcomes based, and how can an organisation test if its security defences are delivering the desired outcome?
The key to moving from formulaic, process-driven security to a results-driven approach is first to understand that different disciplines require different forms of cyber security.
Front-line operational security will always require a tick box element to ensure everyone is synchronised and singing from the same cyber security hymn sheet. Those on the front line cannot afford to experiment, as any failure could be potentially catastrophic for their organisation. Tried-and-tested formulaic solutions offer a readily available resolution in an emergency, whereas individual innovation is risky and cannot be relied on for operational security.
However, behind the front lines of cyber security, there is room to move towards a more creative, results-driven approach. The software production lines that lie behind our economy are the perfect place for this.
From crowdsourcing penetration testers, to developing a base of core competencies which form a springboard for innovation, to marrying creativity with compliance, there are abundant ways to move towards outcome-based security. Software developers also have room to fail forward before their software enters the mass market.
Below are some of the ways that software developers can get creative and test their security solutions against the desired outcomes.
Build a solid knowledge base
To build secure software with an outcomes-based development regime, the software development team needs basic core competencies in security.
If everyone has a certain baseline knowledge, preferably through being trained and certified to the same standard, this provides a solid foundation for innovation. This means that software developers can freely experiment with creative ways of making software secure, reliable and trustworthy, without deviating from the basics of best practice.
Get creative with compliance
Software developers need to work with auditors to find creative compliance solutions based on outcomes, rather than processes. For example, some auditors ask companies to install Wi-Fi sniffers to pick up any rogue Wi-Fi access points on the corporate network, which pick up hundreds of innocuous hotspots, from employees’ tablets to passing pedestrians, yet does little to protect corporate data.
I found a way of ensuring corporate data could not be shared over insecure Wi-Fi networks by installing a system that requires approval for any Wi-Fi to connect to it and documenting how this met and exceeded the auditors’ requirements. This shows that auditors are happy to acknowledge creative ways of achieving the required “tick in the box”.
Software developers must test software at its genesis, in production and throughout the entire pipeline from development to deployment. Repeated testing ensures software remains bullet-proof throughout its many iterations
Test, test and test again
Software developers must test software at its genesis, in production and throughout the entire pipeline from development to deployment. Repeated testing ensures software remains bullet-proof throughout its many iterations, catching vulnerabilities before they require patching.
A rigorous, creative and continuous testing regime geared towards improving software security, from pattern-matching to penetration testing, is more important than a tick-box approach.
Crowdsource external expertise
Developers also need to test that their creative methods are achieving the desired outcome of safe and secure software.
The best way of achieving this is to have a Chinese wall between judge and executioner so that the people responsible for developing the software are not the same people responsible for testing it at the end. Organisations should crowdsource external pen testers to see how their software withstands a real-world cyber attack.
Creative, outcomes-based software development is crucial, but it’s important to bring in outside perspectives at the end of the process.
Ultimately, secure software development involves creative results-based thinking grounded in basic competencies producing an end product that is subject to external testing.
