Software is everywhere. Society ran on steam; then it ran on electricity; now it runs on software. Software is in your car, your microwave, even your lightbulbs. According to Forbes, human society produces 2.5 quintillion bytes of data per day. That’s 25 followed by seventeen zeroes.
The sobering fact understood by cybersecurity experts is that this represents 2.5 quintillion vectors of attack. Every action, every line of code, every single “one” and “zero” is a potential faulty padlock that could allow cybercriminals access to the program — which means access to potentially sensitive systems and user data that the hacker could use to wreak millions, even billions of dollars of damage in corporate and individual lives.
And they’re trying. They’ll try all 2.5 quintillion if given the opportunity. Cybercriminals use nefarious tools to try hundreds, even thousands of different avenues of attack every minute, every second. According to DataProt, over 560,000 new malware apps are discovered every day, bringing the total number of known malware apps to over one billion.
In short — it’s an arms race, with cybersecurity experts trying every day to stay one step ahead of the cybercriminals.
This is not to scare enterprises and companies from embarking on the exciting journey of custom software development — only to emphasize the absolute necessity of scrupulous attention to security. In this article, we will discuss four keys to secure software development in 2021.
Why Secure Software Development Is So Critical
Cybersecurity is everyone’s problem. Individuals need to be vigilant against identity theft, a costly and frustrating crime to recover from.
For companies and organizations that develop and deploy custom software — which almost every enterprise-level company will consider, and which form the bread-and-butter of Cloud-services and SaaS companies — the imperative is even starker.
If custom software gets hacked, it can deal a blow to the company from which it never recovers. A 2020 report by IBM and the Poneman Institute calculated the average total cost of a cyber attack at $3.86 million.
Larger companies could absorb this; smaller companies probably can’t … and oftentimes, the bigger the company, the bigger the hit. British Airways and Marriott suffered recent cyberattacks that cost them an estimated $100 million each; Norsk Hydro tipped the scales at $75 million in damage; the Desjardins Group, $53 million.
The damage caused by software breaches is manyfold. It encompasses:
- Loss of software integrity
- Exposure of user data.
- Loss of brand reputation
- Loss of revenue
Protect the Integrity of your Software
Software has integrity if it functions as expected, has security features, lacks certain vulnerabilities, and can be tested, followed logically, and upgraded without errors. Software with integrity can more easily be analyzed for coding defects, protected against security threats, and meet standards of documentation, including regulatory and industry standards.
Both consumers and businesses depend on the integrity of the software they choose. A Commitment to software security is critical in meeting this expectation. Software that lacks integrity is vulnerable to a variety of forms of attack, which can threaten the very existence of the company that produced the software.
Secure User Data
The company that makes the software is rarely the only victim of the cyber attacks that target their products. Software applications collect all matter of user data.
How much data depends on the application and industry, but the data that could be stored within the software includes but is not limited to their names, email addresses, physical addresses, bank account information, credit card information, driver’s license numbers, passport numbers, and possibly even tax ID information, like the Social Security number.
Needless to say, this is all the information a data thief needs to wreak havoc in the lives of compromised users in the form of identity theft. Companies that collect user data through their software need to take this responsibility very seriously.
In addition to it being the right thing to do, they may not have a choice. Companies that store user data often face significant regulatory compliance burdens. They could be liable for regulatory fines and consumer lawsuits if inadequate protection results in a breach of user data.
Safeguard Organizational Reputation
A company’s reputation is one of its most valuable assets. Broken equipment can be repaired, flooded real estate can be renovated, lost or spoiled inventory can be replaced … but once a brand has its reputation sullied, the road back can be long and difficult.
Lost reputation may be the most costly after-effect of a security breach, especially if user data is threatened. Major data breaches, as well as the lawsuits that ensue, can become media circuses.
The hubbub can result in a loss of stock price, acceleration of customer turnover, and lost customers who defect to competitors while the organization undertakes the often lengthy period of picking up the pieces and restoring the integrity of the software.
Large companies may be able to come back from the kind of reputational damage that follows in the wake of a security incident, but smaller organizations may never recover.
Avoid Lost Revenue
There’s lost reputation, and then there’s cold hard cash. In addition to the loss of stock value and the cost of lawsuits, customers retreating from a compromised software solution and into the arms of a competitor means an immediate loss of the company’s hard-won revenue base. In addition to reductions in revenue, data breaches can result in loss of intellectual property.
Studies show that 29% of companies that suffer a data breach suffer a loss in revenue, with up to 38% of those experiencing a loss of revenue over 20% — a catastrophic loss for many companies.
Secure Software Development Key # 1. Use a Variety of Tools to Evaluate Your Code
Many software security breaches could have been prevented if the developers had paid adequate attention to the security of the source code, both in the development phase and on an ongoing basis. Even small defects in the code can be exploited by cybercriminals. Software developers need to be vigilant in their inspection of the code to reduce the risk of a data breach as much as possible.
Code analysis used to be an arduous process, involving visual inspection of every line of code and a painstaking battery of manual tests. However, code analysis tools have made it much faster and easier, resulting in a higher standard of security for software. Inspection of the source code by analysis tools may also be a key component of regulatory compliance for companies that store user data.
Static Code Analysis
As the name applies, static code analysis, also known as static application security testing (SAST), refers to the process of checking the source code of a software program before the program is run. This gives the developers an early warning of potential problem areas — and the earlier the alert comes, the easier the problem is to fix.
Static code analysis tests the source code against a series of coding rules. These rule sets are meant to expose weaknesses in the code that cybercriminals can exploit. The rule sets may spring from security controls like FISRA or ISO 26262, and more than one rule set may be applied to the analysis.
This process can be applied manually, with a human programmer reviewing every line of code against the relevant rule set. However, if the code needs to be checked against multiple rule sets, the labor required for this type of analysis could become prohibitive.
This is where static code analysis tools come into play. Automated code analyzer tools can quickly and accurately pinpoint the exact source of problems, without susceptibility to human error.
Companies that offer well-respected static code analysis tools include:
Veracode. Based in Massachusetts, Veracode offers tools for both static and dynamic code analysis in a Cloud-based solution. The tools have been used to secure code for three of the top four Fortune 100 commercial banks.
Checkmarx. Based in Israel, Checkmarx has been responsible for uncovering vulnerabilities in the code of some of the biggest, most popular software solutions in the world, including Google and Samsung smartphones, Amazon Alexa, Meetup, and Tinder.
Dynamic Code Scanning
Whereas static code analysis examines the software source code when it is not running, dynamic code scanning, also known as dynamic application security testing (DAST), examines the code while it is running.
This is useful because it creates a more realistic simulation of a potential cyberattack, which will likely happen while the program is running. Some vulnerabilities, like memory allocation issues, will not even be visible in the static code. You have to examine the code in execution to spot it. Dynamic code scanning can also identify vulnerabilities associated with third-party libraries and other dependencies, which static code analysis will probably miss.
Dynamic code scanning tools bombard the running code with a variety of signals meant to imitate malicious actions that a cybercriminal might take. This could include:
- SQL queries, which can identify vulnerabilities to SQL injections, a common cyberattack where a hacker attempts to interfere with a database query.
- Unexpected inputs, which could create vulnerabilities based on invalid assumptions.
- Long input strings, which can create a buffer overflow and open a door for other malicious actions within the software.
- Extreme numbers, like negative or large positive numbers, which may create overflow or underflow vulnerabilities.
The goal of these inputs is to instigate an invalid response or even a crash. If that happens, it constitutes a vulnerability that a cybercriminal could exploit, and which the developer can then correct. Dynamic code scanning also allows the developer to game out the aftermath of such an attack, to assess the damage that could be done.
The downside of dynamic code scanning is that it is less accurate than static code analysis, returning many false-positive results with little in the way of accuracy as to the source — that is, the exact line of code returning the error.
Tenable.io, a web tool that forms a crucial part of the Tenable Cyber Exposure Platform, is a popular tool for dynamic code scanning.
IAST Tools
There are static code analysis and dynamic code scanning — SAST and DAST — and then there’s IAST. IAST stands for interactive application security testing, which combines some of the characteristics of both static and dynamic code analysis to produce an analysis approach that produces better results than either one alone.
IAST is “interactive” because it doesn’t scan or analyze the code from without. Rather, it performs the analysis from within the application, producing data from inside and in real-time. This allows it to analyze the code, like in SAST, but to observe the code while the program is running, comparable to DAST.
From inside the application, IAST tools have access to a broad range of systems, including:
- The source code itself
- Configuration info
- HTTP responses and requests
- Runtime control
- Libraries and frameworks
- Data flow info
- Info about backend connections
This comprehensive interior scan means that IAST tools can scan as much as 99% of the software in action, with far fewer false positive results and greater accuracy, resulting in far more actionable data.
IAST tools also have the advantage of being user-friendly and easy to install.
Secure Software Development Key # 2. Seek Outside Help Around Possible Vulnerabilities
The development of secure custom software is a team effort. Yes, there will be an internal team and possibly a third-party development team, but when it comes to the essentials of cybersecurity, you don’t want to become the blind leading the blind. As with the diagnosis of a serious disease, you want a second opinion.
Smart development teams recruit as much intelligence as possible to verify and validate the security of their output, as well as expose vulnerabilities that can be corrected before the software goes live and lands in the hands of users. Here is some of the outside help you should recruit to the cause of producing the most secure software possible:
Third-Party Feeds
Security vulnerabilities in your software may not always come from within — in many cases, they come from without. Software solutions often depend on third-party apps or web apps — for example, WordPress for web design, or Stripe for payment processing. Incorporating these third-party apps means opening yourself up to that app’s vulnerabilities.
And yet, you still may be on the hook for breaches of those vulnerabilities, because you are ultimately responsible for the security of your software.
The good news is that these third-party apps usually offer RSS feeds that detail new security risks. Make sure you are subscribed to these feeds. They will contain crucial information for your IT department to stay ahead of new and emerging threats.
Ethical Hackers
Ever wonder whatever happened to the teen tech wizards you knew in high school, the ones who fancied themselves petty hackers? Did they all grow up to be cybercriminals? What honest work is their skillset good for?
The marketplace was good to those wannabe hackers, giving rise to the “ethical” or “white-hat” hacker. These law-abiding rogues play a critical role in the cybersecurity industry. Companies hire them to try to hack their software, and in doing so expose vulnerabilities in the software that real cybercriminals could exploit.
White-hat hackers may be hired to perform a penetration test (or pentest). During the pentest, the hacker attempts to breach the software by any means available to him/her. Ideally, no one in the organization knows the pentest is coming to see how they react to a potential security crisis.
Of course, because the hacker is ethical and on hire, they don’t actually steal or compromise the data they may gain access to. Instead, they provide a report of the pentest results and an action-item list to shore up any vulnerabilities they discovered.
Independent Auditors
Smart companies shouldn’t rely on the developer or the internal IT team to validate the security of the software. Independent code auditors offer code analysis services to put a fresh pair of eyes (and software tools) on the code to catch things that internal IT teams might miss. Independent auditors may also employ ethical hackers and perform penetration tests.
Secure Software Development Key # 3. Make Time for Ongoing Training With Your Development Team
Cybersecurity is not something that happens once. Remember, this is an arms race, a hustle to stay ahead of the next innovation by cybercriminals. This means that the work of cybersecurity never ends. It requires a commitment to ongoing patches, fixes, and upgrades — which means ongoing training and development of the cybersecurity experts on your development team.
Here’s what to consider when developing a program of ongoing cybersecurity training for the development team to help them maintain the integrity of your software:
Include Security Training in Onboarding
Onboarding is a critical time in the life cycle of a new hire. It’s a chance to bring them up to speed and into alignment with your current best practices, including the state of your software’s security.
It’s also a chance to “indoctrinate” them into your corporate culture, including your commitment to software security. By emphasizing its importance and incentivizing its execution early on, the odds are much better that they will buy into that commitment and consider it a key part of their role within the development team.
Revisit Security Training At Least Annually
Even if no new faces join the development team, it’s important to revisit your software security approach on a regular basis — annually at minimum, quarterly if possible. It’s a chance to check in on the state of the software’s security posture, revisit best practices, powwow on new developments, and implement fixes.
Regular check-ins will also re-emphasize the importance of software security to your organization, and give the development team a chance to re-up their buy-in to that commitment.
Implement Targeted Training as Needed
Since new threats and fixes enter the collective IT consciousness on a daily basis, the development team needs to be prepared to think on its feet. New practices should be implemented as soon as the need for them becomes clear, and the team needs to be brought up to speed.
That means that the development team needs to be prepared for targeted training whenever they become relevant. It’s important to cultivate a culture of lifelong learning, a development team that is constantly studying cybersecurity — nimble, flexible, and adaptive.
Get Familiar With Relevant Regulatory Standards
Cybersecurity isn’t just about protecting against future losses due to cyber victimization. Many software development projects face significant regulatory burdens. They must validate their compliance annually to keep the software in the field or even stay in business.
Cybersecurity forms a big part of that compliance burden, providing regulators and users some level of assurance that the developers have done their best to ensure that a cyberattack won’t be successful — a nice assurance to offer before users entrust the software with sensitive data.
Regulations your software may need to comply with include:
PCI DSS. The Payment Card Industry Data Security Standards (PCI DSS) apply to software solutions that store users payment card info (credit card, debit card, etc.)
HIPAA. The Health Information Portability and Accountability Act of 1996 requires certain security standards for software that stores sensitive medical records.
ISO/IEC 27001. ISO 27001 (and its European counterpart IEC 27011) is one of a number of standards for creating an Information Security Management System (ISMS), a system for maintaining the integrity of your software.
Secure Software Development Key # 4. Be Obsessive About Authentication and Encryption
Many software security best practices boil down to authentication and encryption.
Authentication refers to confirming that the user is who they claim to be — that is, the authorized and good-faith user of that software, and not an imposter, attacker, or “bot” (robotic program).
Encryption refers to the practice of scrambling data into a code that looks illegible to an outside user. As with codes used in wars, an encrypted message can be unlocked with a “key,” which interprets the encrypted code based on a set of cryptography rules to reconstruct the original message. The key, of course, must be carefully guarded from the prying eyes of potential cybercriminals. Encryption is going on in the background of nearly every digital transaction, without the user noticing.
When we say you need to be obsessive about authentication and encryption, we mean obsessive. Leave no stone unturned — your software should be as airtight as a spacesuit if you can help it. Vectors of authentication and encryption to focus on include:
Multi-Factor Authentication
Multi-factor authentication (MFA) has become a standard feature of anti-cybercrime protocols and is now required to comply with many regulations. MFA thrives in an environment where it is expected that people have multiple devices, unique to them, which can be used to verify their identity using master passwords and biometrics.
Traditional authentication required two factors — a username and a password. Hence the name “two-factor authentication” (2FA).
MFA adds an extra layer of security in the form of the time-based one-time password, which must be sent to the user externally, often by SMS text message or email. This password expires after a relatively short period of time — say, 90 seconds. If the user doesn’t perform that authentication in that amount of time, a new time-based one-time password must be generated.
MFA can be applied to both consumers and employees — whoever the user is, MFA is essential to tightening up your authentication protocol.
Encryption of All PII Data
PII data refers to personally identifiable information — any information that can be linked back to the person who entered it. Social Security numbers, driver’s license numbers, and healthcare information qualify as PII.
Encryption of All PII Data
PII data refers to personally identifiable information — any information that can be linked back to the person who entered it. Social Security numbers, driver’s license numbers, and healthcare information qualify as PII.
An obsessive commitment to data security, especially the security of sensitive user data, must include a commitment to encryption of all PII. Encryption involves the scrambling of this data into a code, which can only be unlocked by a data key that only authorized users can access.
CAPTCHA Security
You have probably executed hundreds of CAPTCHAs without understanding that you are participating in a dance that has staved off countless cyber attacks. Comedian John Mulaney jokingly called it the “Robot Test,” and he wasn’t wrong.
A CAPTCHA is a test that requires human input. It is meant to stave off brute-force attacks where cybercriminals use automated (“robotic”) programs to repeatedly try thousands of different passwords from multiple email accounts, in hopes of gaining access or producing an error response that they can exploit.
In addition to stopping certain robotic attacks, CAPTCHA tests prevent other forms of mischief that shady users might try to perpetrate, including spamming comment sections with nonsensical or provocative comments; or from mass-buying tickets for scalping or other nefarious purposes.
Conclusion
Because it affects everyone, a commitment to cybersecurity is everyone’s responsibility. The development team and all stakeholders for custom software solutions need to take that responsibility to heart, for the sake of the users and the organization.
This means a commitment to best tools and practices, constant vigilance, and recruiting outside help where needed. By making this commitment, software developers will play a key role in making sure that the benefits of software remain with us for generations to come.
If you have questions about secure development as it pertains to your software needs, contact Liventus today.
Dan Levin is president and co-founder of Liventus. Connect with him on LinkedIn here.