Security by Design
03/09/2019 by Sojournercntl
This describes a type of software and hardware development in which IT security is already taken into account in the development of products and solutions. The aim is to make the product as insensitive as possible to attacks. Not all developers are so enthusiastic about it though. Many don't want to be slowed down by security issues. This is why there is often resistance to the integration of security departments into the development process - for example in the form of DevSecOps.
Changing concepts of security
There must be a fundamental rethink. When developing applications for a company, developers all over the world complain on a daily basis that security would slow down the process and make it faster if security precautions were subsequently implemented.
Security must not be seen as an additional component that is retrofitted or installed, but as an equivalent function from the outset - like all other performance requirements that need to be mapped. If it were a normal part of development, it would no longer be perceived as a brake.
Calm mediators are demanded
In order to bring security and development closer together, a special skillset is required on the security side. Developers are artists who have to work creatively and relatively freely to accomplish their tasks. They set other priorities than security, which is geared to security. Put simply, this is a solution-oriented view versus a problem-oriented view.
If the change is to take place in the way of thinking and also be lived, it is important to bring together employees who know both sides. Security people who are developers themselves know the challenges of the development process. They can assess how the processes can best be adapted to align the security provided with the creativity required.
The role of these intermediaries is to keep an eye on the interaction between the departments during development. Developers shouldn't feel that security is monitoring them permanently now - this hampers their creative work. Rather, the IT security experts should act as supporters.
In order to carry out these tasks and be able to talk to both parties at eye level, the border crossers between the two worlds need a certain character. They should be objective and calm. Problems must be discussed realistically and with a sense of proportion in the teams. It is important to emphasize success in a positive way instead of stirring up fear of misconduct. Responsible employees with such qualities promote the chances of success of the introduction of Security by design.
Security by design is not expensive
The introduction itself initially requires investment. However, this is also the case with any other new development method, such as Scrum, and in the long run the costs are negligible. However, a general image problem of IT security poses challenges. Security is largely invisible and only appears when it fails. Necessary investments are regarded as pure cost factors. But since security is often used as an argument to get more money for projects, it is perceived as "expensive".
Integrate security managers from the start
In order for security to become part of the development process, it should be considered from the outset. Already with the first idea finding to a new project it is important to bring Security responsible persons also to the table. The requirements for functions, performance and security are then defined together with all other participants. It is the task of the security experts to ensure that the features comply with legal requirements such as the DSGVO, but also with individual policies and industry-specific requirements. In addition, it is important to determine the appropriate level of protection for the product and thus also the necessary security effort and costs. A feasibility study or a risk assessment can help here.
As a result, an idea may not be implemented as planned for security reasons. If this is the case, development and security should explore alternatives together, adapt the concept or - if no feasible solution can be found - put the idea aside.
It is helpful here if this process is available in a structured interview guideline. If safety aspects have been defined at an early stage and embedded in the general development process, prejudices against a possible braking effect through safety aspects can be avoided. In addition, a formalized questionnaire helps to establish security as a standard component in the long term.
In order to introduce security by design as a new way of thinking in the company, both knowledge of what needs to be considered with regard to security and awareness that security plays a central role are required.
Security tests must run continuously
During development, both functionality and safety must be continuously tested. Penetration tests are a good choice.
In the course of the risk assessment also the possible attack types are defined, to which the software or the device could be exposed. In the various development phases, it is important to test the software again and again and to eliminate any defects at an early stage. Test procedures such as Dynamic Application Security Testing (DAST) for testing HTTP and HTML interfaces of running web applications or Static Application Security Testing (SAST) for analyzing the application code are also available.
These tests are an integral part of the development process and serve to determine whether the security level meets the requirements. It is important to keep in mind that there is never one hundred percent security. The desired security level depends on the requirements and risks defined at the beginning.
Once the respective development phase has been completed, a final security acceptance must be carried out by the security team, including practical acceptance tests. Depending on the result, the testers must also analyses existing residual risks and derive risk-minimizing measures.
Continuous security updates
When the product or the new software version is in use, the task is to maintain the security level achieved. Against the background of ever new and cleverer threats, patch hygiene is crucial. Ongoing updates to emerging attack vectors must be delivered and implemented promptly.
When it comes to incorporating new features into a product, the same mechanisms should apply as for a new development. The team must identify risks and requirements and weigh them against each other. For example, is it absolutely necessary to network an application with other solutions or even critical systems? Does this create new entry gates against which additional protective components have to be installed? Does the new functionality require that additional regulations or policies be observed and mapped? During further development, the various stages of the new version must be regularly tested for weaknesses in relation to the risks identified and possibly adapted.
Since no product is 100 percent secure, monitoring solutions in companies or infrastructure monitoring via a Security Operations Center (SOC) ensure continuous protection between updates. This allows new vulnerabilities and attacks to be detected promptly and countermeasures to be taken until a patch closes the gap in the solution itself.
Legacy protection needs more effort
In addition to new, securely developed applications and products, companies often have older, less secure solutions that cannot be replaced or modified for technical or cost reasons. This can be the specialized OT application or the ancient legacy system on which an entire business process depends. The question arises as to how these components can be adapted to the security level.
Solutions for such problems are relatively expensive and require a lot of effort because they have to be monitored permanently. Often it is the only way to ensure a certain level of security by building a modern "security fence" around legacy applications and infrastructure.
Entrepreneurs must be aware of the risks
In conclusion, it can be said that there is no universal solution for the implementation of Security by design that can meet every challenge. It is always a question of having the right basic attitude, which is actively lived by all those involved. The rest comes all by itself.
The biggest mistake companies make is to believe that you don't need the level of security provided by Security by design because there is nothing to get. This argument is no longer tenable today. The hackers are targeting startups, SMEs and corporations alike.
Feel free to check out sdev-software.com for more news and articles.