Nine Steps to Building Secure Software

by Craig Risi on Security • April 13, 2021

Cybersecurity may be improving all the time, but it is increasingly outmatched by the ingenuity and creativity of hackers, who keep finding new ways to discover and expose vulnerabilities across very complex ecosystems. We’ve seen some big hacks over the past few years across many industries, and now there is yet another big one that has impacted Microsoft and its Exchange Server, which manages emails and web access for thousands of companies.

There is perhaps no greater area that companies need to focus on than security. The risk of stolen data and code, and the potential downtime issues it may cause, are not just a massive inconvenience but can also cause financial and reputational damage. This is why companies invest so much money in security professionals and systems to reduce the risk of any breaches occurring.

Of course, the larger the company, the more complex the problem. With more people, systems, and access gateways involved in a large company, there are more opportunities for failure, and a greater surface area exposed to attack. Essentially, as systems scale and companies grow, security becomes more difficult to monitor.

It is possible, however, to build a secure system. Below are some important areas of consideration for companies to proactively remain on top of their security game rather than react to vulnerabilities when it’s too late.

1. Track Your Assets

I’m not referring to your hardware here, although you should track that too. Tracking your assets means knowing which servers you are using for which applications and which containers are deployed onto which architectures. Getting this wrong can often mean not only deploying the wrong software to the wrong places but, more importantly, not managing your security appropriately and leaving vulnerabilities where they shouldn’t exist.

2. Stay on Top of Your Patching

Technical debt is one debt you don’t want to fall into in the software world, and failing to keep up-to-date with it can be detrimental. If new patches that address security issues are available, install them as soon as possible. While this could be disruptive to the efficiency of your development, keeping your systems secure should not be compromised in any way.

3. Manage Your Containers

If you want to build, test, and deploy your software at scale, chances are that you are making use of containers. Containers are generally believed to come with security advantages considering their self-contained OS environments and that they are segmented by design, all of which lower the risk level to other applications. However, containers still face risks from exploits, such as a breakout attack, where the isolation is broken. Also, the code stored within the container may itself be vulnerable; therefore, running regular scans across all your containers is vital.

4. Automated Scanning

In a DevOps world where we are looking to deploy code to production as often as possible, we can’t overlook checking our security each time we take code into production. The only way to do this is to have a variety of different automated scans that can identify potential vulnerabilities and secure coding mistakes. This is not necessarily because your team is making the mistakes, as these days 60–80% of any given codebase consists of open-source modules or applications. Open-source modules or applications are prime areas for vulnerabilities that need to be detected before deployed into production.

There are the usual OWASP scans that scan the code in a particular repo as it gets built, but there are also things like static application security testing (SAST) and dynamic application security testing (DAST), which can be useful in finding critical errors.

5. Penetration Testing

Despite the above automated scans, it’s likely things will still get missed, and while you can’t do penetration testing all the time, you should do it regularly. Challenge experts to explore ways of trying to identify critical information that allows them to gain access to a critical system or client data.

6. Practice Secure Coding

I’m not going to go into specifics here because there is a lot behind this topic, but it should go without saying that the best way to build software that is secure is from the code itself. There are patterns and ways of architecting systems and writing code that will make your applications more secure and resilient.

7. Encrypt

Needless to say, in this day of data privacy, you cannot ignore the basic standards of data and software encryption to ensure that nothing is exposed. You need to make sure that all environments have the right encryption and hashing protocols in place for the safe and secure transfer of data and information between your different applications and servers.

8. Manage Privileges

When it comes to privileges, follow the principle of least privilege, which calls for companies to give employees access to only the data they need. While many start-ups like to play loose and free with this under the illusion that they are empowering their staff to make the decisions they need, it’s an area that needs critical attention. It is advised that companies regularly review their access controls and make sure that there is no user with unnecessary power or access.

9. Prioritize Your Remediation Ops

Sadly, with vulnerabilities only growing in numbers across the software world, it is necessary for companies to prepare themselves to react to these concerns as they arise. To do this means a strong assessment of the version across both your proprietary and third-party code to quickly identify where vulnerabilities exist and a task team that can remedy them quickly.

Conclusion

The journey to secure software systems is a complex one, and there are no shortcuts or one-off tools that can prevent these problems for you entirely. However, there are many solutions that can make a significant impact, and it’s important for any organization to consider a multi-pronged strategy to address all these critical areas or potentially run the risk of learning a very expensive lesson in the future.