Security Think Tank: Focus on security before app deployment

As an increasing number of organisations report cyber attacks and data breaches at the application layer, it’s obvious that all is not well in the realm of application security.

In the rush to deploy applications, security becomes an afterthought and is largely ignored when it really matters most – during the software development process.

From a purely financial point of view, quickly rushing out applications without thought for security is short-sighted. Not only does it lead to costly data breaches, but the later a bug is discovered, the more expensive it becomes to remedy.

Research shows that bugs identified during the implementation phase can cost over six times more to fix than those identified during design. Finding and fixing security issues early is a no-brainer.

With this in mind, the Information Security Forum (ISF) recommends 10 security principles, focused on agile practices, which can be applied to application development:

1. Define roles and responsibilities – make all stakeholders in a project, from developers to project managers and product owners, aware of their responsibilities regarding security.
2. Invest in skills and training – give development teams the means and experience to make use of secure development techniques and practices.
3. Apply an information risk management process – define and approve a risk management process that applies throughout each phase of development.
4. Specify security requirements using the developers’ format – use whatever format and language your developers use to define coding requirements, and include these requirements on the product backlog to ensure that they are delivered.
5. Conduct threat modelling – evaluate adversarial techniques that could be used to exploit specific technical vulnerabilities and design the application to reduce such vulnerabilities.
6. Employ secure programming techniques – use a standard, approved set of secure programming techniques (such as pair programming, refactoring and test-driven development) when writing code.
7. Perform independent security reviews – bring in individuals from outside the development team to test and analyse code (such as using static code and / or dynamic analysis).
8. Automate security testing – use automated techniques (such as finding common vulnerabilities) to check code for bugs.
9. Include security in acceptance criteria – ensure that security criteria are included in the ‘definition of done’ at the end of every development iteration or phase.
10. Evaluate security performance – evaluate security performance of applications using metrics, and report using predefined key performance indicators (KPIs).

None of these principles should surprise security practitioners. They can mostly be grouped under a heading of “apply common sense”, yet, they are often not applied.

As organisations strive to keep up with a fast-moving business environment – which demands constant deployment and revamps of applications to meet customer requirements – security concerns fall by the wayside.

Organisations should pay more heed to security when it is easiest to address, which is before the application goes live.

Applying the ISF’s security principles throughout the development process will help to identify security flaws early and often, producing applications that are robust, resilient, less vulnerable to attack – and ultimately less costly to the business.