In 2013, Yahoo! suffered a data breach that exposed 3 billion — not million, billion — data records. At the heart of this and other costly breaches are vulnerabilities. As was the case with Yahoo!, even the biggest players can overlook crucial weak spots in their technology stack. As a result, software developers need to be particularly careful, especially because an otherwise secure system can be compromised by a solution the dev team is responsible for — ruining reputations and stifling revenues. However, while employing the concept of software as layered technology, you can systematically reduce or eliminate vulnerabilities. Read on to learn how.
Want More Tech News? Subscribe to ComputingEdge Newsletter Today!
How Software as Layered Tech and Security Intersect
Some may gravitate toward relegating security to a mere afterthought, as in, “Here’s what we’ve made. How do we make it secure?” However, using the principles behind the layered view of software, you can prioritize security and enhance and maintain it throughout the development lifecycle.
The Key Element: Quality
Identifying security as part of the quality assurance element of software as layered tech puts it front and center in your development process. One of the benefits of the layered view of software is each principle is constantly reiterated at various points in the development process, especially quality. Incorporating security as a quality standard forces your team to reevaluate the safety of your app again and again and at various phases.
How to Incorporate Security in Each Phase of Development
Regardless of whether you use Agile or waterfall to drive your development, the core elements of the lifecycle are generally the same:
- Planning and conceptualization
- Design and architecture
- Implementation
- Testing and bug mitigation
- Release and product maintenance
Here’s how you can incorporate security principles and features in each phase:
Planning and Conceptualization
In the planning and conceptualization phase, you can:
- Define security objectives for the project by asking questions like, “Which kinds of threats are most likely to be levied against this app, and how can we stop them?”
- Identify relevant compliance standards. These may include the Health Insurance Portability and Accountability Act (HIPAA), the General Data Protection Regulation (GDPR), and others.
- Organize a list of what your app will need to meet its security objectives, according to technical and regulatory standards.
- Provide training for developers and others involved in the project. It’s best not to presume they have the knowledge they need, and addressing gaps early on can prevent issues down the road.
Design and Architecture
During the design and architecture phase, you can:
- Use threat modeling to identify attack surfaces and techniques.
- Evaluate the design documents, looking for potential security issues in the code and infrastructure of the app.
- Pay close attention to third-party apps that may introduce vulnerabilities, either due to their own weaknesses or the way in which they interface with your application.
Implementation
During the implementation phase, programmers are doing the actual coding of the app. To incorporate security at this critical phase, you can:
- Provide a list of common mistakes programmers should avoid, such as improperly securing unencrypted passwords.
- Use static scanning tools to review freshly written code and identify vulnerabilities before incorporating it into the application as a whole.
- Manually review code to look for vulnerabilities. This may take some time, but a manual review can catch issues an automated system hasn’t been programmed to identify.
Testing and Bug Mitigation
Instead of merely testing the app to see how well it works during this phase, you can also check it for vulnerabilities. To do this, you can:
- Use a dynamic application scanning tool (DAST), which simulates attacks by hackers. You can reduce the number of false positives using interactive application security testing (IAST) tools as well. With DAST combined with IAST, you identify not only the existence of a vulnerability but also its source.
- Fuzz test your application, which involves generating random inputs and seeing how the application holds up.
- Use penetration testing, which is when you invite a third-party team of security specialists to simulate attacks on your app.
Release and Product Maintenance
After the product goes live, you have to ensure customers enjoy a secure experience. While it can be difficult to control who upgrades to newer, more secure versions of your app, there are some things you can do to enhance security, such as:
- Monitor the application’s entire ecosystem for attacks.
- Create an incident response strategy, which outlines what your security team will do if the app or its infrastructure gets hit with different kinds of attacks.
- Perform continuous security checks.
You protect your product, its users, and users’ devices by taking these steps. You also safeguard your organization’s reputation and its dev team while maximizing the end-user experience. To stay on top of the latest cybersecurity developments, tools, and strategies, you can connect with the IEEE Computer Society. As an association of professionals at the cutting edge of technology, the IEEE Computer Society is a dynamic resource for the latest and greatest tech insights. See how by signing up for the newsletter.