Cybersecurity: Top 10 Software Development Security Best Practices
One of the most common oversights when developing software is security. Sometimes it’s due to inexperience, as in the software/product team are simply too junior to know about specific edge-case scenarios that more experienced people learn over time. Other times it can be out of pure negligence and poor decision making to rush a product to market in the most inexpensive and fastest way possible.
Software, like anything else, is typically driven by time and budget. Modern software development is usually done using an agile development framework with a set capacity, which also sets the budget. These methods typically lead to initially developing a minimally viable product (MVP), and relying on a backlog to continue to enhance and improve additional features over time, after the MVP release, that will make the system better. However, the rush to MVP often leaves out critical security best practices, which we cannot stress enough is a terrible idea. Further, once you launch an MVP, your backlog becomes re-prioritized as once users start to use the system, new priorities and additional features emerge to support those users, and suddenly the initial backlog that you had to strengthen your system gets lost, especially without increasing your capacity.
Top 10 Software Development Security Best Practices:
- Implement and use static code analysis tools like Veracode, Checkmarx, and others to find vulnerabilities in your code as you code. This is an excellent way for developers to find issues with their code while they code. Some tools have IDE plugins that allow developers to view issues interactively while they code.
- Use dynamic code scanning tools like Tenable.io to scan all of your environments, including QA, staging, etc.… and not just production. By examining your code and environment before each release, you mitigate risk and ensure you have no known open vulnerabilities. You should repeat the scans weekly or monthly to see what they catch each time as definitions and known vulnerabilities are always changing. Scan after each release to each environment, and then scheduled scans weekly.
- Sign up for third party feeds around vulnerabilities. Sites like us-cert.gov and others will send you alerts around the latest cyber threats. If you’re a heavy user of WordPress or other specific frameworks, each will likely have a dedicated feed for known risks.
- Hire a “white hat” (ethical computer hacker) expert to run penetration testing against your code – both with and without your source code as a reference. This can be expensive, but with a useful resource, it can also be one of the more successful tools in mitigating your risk. When you do a code-assisted pen test, good hackers will almost always find a few different areas that need attention. If your budget allows it and your system is public-facing, we would recommend this at least annually.
- Ensure your software developers go through annual secure code training and are familiar with at least the OWASP top 10. This is critical, the developers who are working on your system should know the basics, at a minimum, of the top 10 threats and how hackers are exploiting systems that they develop each day.
- Chances are your software follows or should loosely follow a standard, whether it’s PCI compliance, GDPR, HIPPA, CMMI, etc.… ensure your product teams (not just your developers) are familiar with and trained around the compliances.
- In production and development environments, get network and security audits done. By hiring auditors to find holes in your processes and procedures, as well as network penetration tests, you will be able to identify a lot of risks, plug them, and then rinse and repeat annually.
- Inventory and audit all 3rd party open license software libraries. You’re only as secure as your weakest link. This also goes with your 3rd party vendors. You can have the most reliable developers and the most reliable network, but it just takes one hole. Almost all systems now use some type of 3rd party framework or script. These are continually being updated, and it’s essential to stay up to date with them, and if they don’t get updated, lose them, and replace them with an alternative solution.
- Implement MFA for every system, both on the software end that you develop as well as the environment the developers are working in. Multi-factor authentication is essential, not just for the consumers using your system, but also for the developers and admins accessing the backend daily.
- Use encryption for all PII data and work with a security architect to possibly isolate all PII data to a separate even more secure area. Data encryption is also essential because if and when the one-percenters do get into your system, proper encryption will render the data they get useless. This goes for both data at rest as well as data-in-transit.
- (I know it’s a top 10 list, but this one is a bonus) – Use CAPTCHA! This will help distinguish human input from machine input and is an easy way to stop most bots from posting (malicious) data to your application.
*Note: This is not a complete list. The cybercrime environment is changing rapidly, and Liventus works to improve cybersecurity to protect against it.
Businesses have to weigh many factors and balance features and functionality with time and money. We have taken over many projects that never took security into account, or that simply didn’t know any better when they were initially developed. Liventus, as a software development company, follow many security best practices in addition to what is listed above.
The price of a breach will always be more costly than the time and effort required to prevent it. We speak a lot about the 99% and the 1% – You need to do what you can to keep out the 99% of bad actors. There isn’t much you can do to keep out the 1%, but there’s a lot you can do to keep out the 99%. We cannot stress enough the importance of following some of these best practices around software development security. If you don’t, it’s not a matter of “if” you get breached; it’s a matter of “when.”
For more cybersecurity tips, check out What Cybersecurity Looks Like in 2020.