Ten tips for application security
Business and society are increasingly application-driven, so application security is in everybody's interest. (Many of these principles, by the way, are applicable to software development in general, not just to security, so applying them will have far-reaching benefits.)
Prevention is not only better than cure, it's much cheaper too!
These are my top 10 principles for application security:
1. Secure by design, detect by test
Use threat models intelligently to help development teams understand the attacks their software is likely to experience - and then challenge them to code defensively. By following this principle, testing will become a way of assessing how well they responded to this challenge, and not a way of identifying gaps that then have to be fixed.
2. Don't rely on fixing vulnerabilities, prevent them from occurring in the first place
This principle is the corollary of the first. I've included it to emphasise the profound change in mind-set that is required. Prevention is not only better than cure, it's much cheaper too!
3. Automate security testing
The traditional practice of developers testing each other's code, and even utilising a penetration tester at the end of the process, is no longer adequate. The complexity of the threat landscape, and the volume and velocity of applications required, are simply too great. Automated testing is much less error-prone, and can be run repeatedly throughout the development cycle - from the very first day, in fact.
4. Give the right information to the right people
There are various stakeholders within the software development life cycle, and each needs to be fed appropriate security information. For example, developers need security information relating to the source code, whereas the operations team needs information pertaining to configuration. Every effort should be made to feed the test results back to the correct stakeholders.
5. Find vulnerabilities as quickly as possible
Defensive coding based on a clear understanding of the potential threats will help to reduce security vulnerabilities occurring (first principle above), and automation will ensure testing will not be relegated to the end of the process (third principle). It's all in the name of ensuring any vulnerability is detected early on so the fix is part of the source code rather than an Elastoplast applied later.
6. Improve every day
There's no shame in making a mistake; everyone does - but software teams should work towards ways of never making the same mistake multiple times.
7. Analyse software and threats from many angles
When teams are looking at ways to avoid vulnerabilities or interpreting test results, be wary of easy consensus. Great care must be taken to examine things from many angles in order to arrive at the best solution and avoid blind spots. This might just be the most difficult principle to put into practice.
8. Leave room for people to prove you wrong
In science, a theory is only considered strong if it is able to be disproved. Similarly, in software development, it's vital for teams to keep in mind that there is always a different - and possibly, better - way of doing things. This principle ultimately promotes deeper, richer collaboration across the whole team.
9. Help colleagues to help themselves
The idea here is not just to help colleagues, but rather to give them the tools to help themselves next time around. This principle is particularly relevant to team leaders, but it applies to everybody. The goal is for each team member to be self-sufficient.
10. Make sure everything is tailored to the particular environment
When developing software securely, it's critical not to waste time, effort and money on trying to do everything. Profile the environment in which the piece of software will be operational, and thus the likely threats, and focus on securing it within that context.
Applications are central to both business and government. As such, they have become a favoured target for hackers. By learning how to integrate security into the way these applications are created, software development teams have a critical role to play in enabling the application economy.
Godfrey Kutumela has over 16 yearsâ experience in security consulting and engineering, having conducted high-end security consulting engagements, and designed and delivered technical solutions on three continents. Driven by his passion for securing online and mobile applications in this new era of the Internet of things, he made a strategic move to join the newly formed IBM Security Systems Division in 2012. His role at IBM was as leader and evangelist of IBMâs application security, security and threat intelligence portfolio for the Middle East and Africa market. Kutumela joined IndigoCube in June 2015 as the leader of the cyber crime and security division. His responsibilities include bringing application security integration practices to the local market and helping organisations protect their critical applications and generated data. He has also served as membership chair for the (ISC) 2 Gauteng Chapter since May 2015.