Despite news of devastating cyber attacks seemingly every other week, cybersecurity remains an afterthought for many IT professionals. In far too many cases, security falls by the wayside during the software development life cycle for custom projects, which means that these companies are setting themselves up for the legal, financial and reputational damages of a cyber attack.
It's not enough to rely on your belief in "security through obscurity" by hoping that no malicious actors will take notice of your software. As soon as you've decided to develop a custom-built software application rather than use an off-the-shelf solution, you need to understand what steps you need to take to make the application secure. Whether you're doing the development in-house or using an outsourcing firm, here's an in-depth overview of what you need to know. It's time to start thinking "Secure Software Development" instead of just "Software Development."
Let's talk about custom software solutions to meet your business goals.
Outsourced Secure Software Development
If you're considering partnering with an IT outsourcing firm, come prepared to your next meeting with a list of questions about their security practices. These questions should include:
- Do you actively maintain the existing systems that you've built by applying patches and checking for problems?
- Do you scan your existing code for vulnerabilities? How often do you go back and review code manually to make sure that there are no vulnerabilities?
- What are your policies for usernames and passwords when logging into a website? Do credentials expire? How can users reset their password?
Security through ignorant bliss is hardly an option for companies that use custom-built software. Even if you do nothing about them, vulnerabilities still exist in your code base. It's easy for a custom-built application to get hacked even years after it was completed if you do nothing to maintain the code and don't check for problems. You should be setting aside a part of your budget every year to review the code for security problems as an essential part of the software development lifecycle.
Be wary of any software development firms that make unrealistic promises about being completely free of security flaws. Even the best development teams overlook things and make mistakes. What's more, just because the application you're using is secure doesn't mean that the other applications that it interacts with are the same way.
At a bare minimum, the development firm that you partner with should be willing to follow best security practices, such as offering their code up for analysis by a third party. New vulnerabilities appear and are discovered all the time, and it's not always possible for every development team to stay on top of them. As we'll discuss later in the piece, getting another set of eyes on the code base is a smart insurance policy.
If you're developing a custom software application in-house rather than working with an outsourcing firm, many of the above concerns still apply. Some of the best practices for IT security when doing software development include:
- Start early so that you can anticipate problems well in advance. Even during the requirements phase, you should create a security risk assessment of your current IT environment as well as a risk profile of the proposed application that identifies potential attack surfaces and security risks.
- If you have forms on your site that users fill out, make sure that these are scrubbed of bad data. Sanitize user input and only use stored procedures when doing database calls so that you can protect yourself against two of the most common attacks: cross-site request forgeries and SQL injection attacks.
- In addition to a full-fledged unit testing suite, use penetration testing during the testing and QA phases to probe the application for vulnerabilities and security defects.
If you're in need of additional guidance, consult a list of guidelines such as OWASP's Secure Coding Practices Checklist, which cover everything from authentication to database security.
Depending on your company's industry and functionality, you should follow one of the accepted frameworks for cybersecurity and data protection, such as the NIST cybersecurity framework, HIPAA for medical patient data or PCI for payment card information. Not only do these frameworks make it clear what steps you need to take to safeguard your users' data, they can also come with fines, penalties and legal action for noncompliance.
Secure Software Development: Third-Party Code Checks
Whether you're using outsourced or in-house developers, it's never a bad idea to get a second opinion when it comes to IT security. This is the thinking behind third-party code checks, which are offered by companies such as Qualys and Trustwave.
After you provide a whitelist of trusted IP addresses, these services run vulnerability scans at specific times on your servers and applications. Upon completion, you receive a report that describes which resources exactly were scanned and the results of the scans. These tests are typically run at least once a month. If the target is of higher visibility or your code has changed drastically, then it should be scanned more often, perhaps even each time the application is deployed.
For example, any decent third-party code checker should test for vulnerability to SQL injection attacks via form fields on a website. These services can not only tell you the SQL injection tests that they performed, but also whether they were successful and in which locations.
The reports generated by these third-party services typically separate concerns into separate categories depending on the issue's severity, such as high, medium and low. Of course, issues of high priority are most often addressed first, followed by those of medium priority. Low-priority issues, however, usually aren't addressed unless they start to become a larger concern.
However, it's often true that even some high-priority issues aren't able to be addressed because they would harm the business as a whole. Even if you detect a vulnerability through a scan, for example, taking the risk of leaving it alone might be less expensive than fixing it in terms of time, money, effort and the negative business impacts down the road.
Far too many companies see security as a thing that's nice to have in custom software development when it's really a necessity. Of course, the importance of good IT security will vary depending on the application. Although they should certainly still be scanned on a regular basis, internal applications like an intranet that are well locked down without a public face constitute a lower priority. On the other hand, Internet-facing applications that use a popular platform such as WordPress should be scanned early and often, because the vulnerabilities in them are large and easily exploited.
If you're considering the route of outsourcing your software development, you owe it to your business to bring up security in your next meeting with custom software developers. Just like taking out an insurance policy on your building and physical assets like your computers, you should invest the money and effort you need to protect your IT assets from harm.
Many companies live and die by their online presence, and even an outage of a few hours can have a drastic effect on their profit margins. Just by taking the step to budget and spend some money on IT security, you're proactively ensuring that your business faces as little cyber risk as possible.