Ramkumar Ramachandran, Head – Quality & Testing, Groupe Renault, explains why it’s time to act now and now build secure code from the beginning.
Software security has always been misconstrued as ‘IT security.’ Whenever people are asked “Is your software secure?” the answer is “We have a firewall!”
Well, it is high time people become more knowledgeable!
With the advent of digital age, when all, well almost all, software applications are on the web and mobile, this leads to applications falling prey to attacks from various corners where people are continuously sniffing for such vulnerable software.
Many enterprise also works with a false comfort that ‘my application is not external facing and thereby not prone to attacks’. OWASP – the most popular online security community – tells that many internal facing applications have also been prone to attacks, more than we think.
It is not inconceivable that few odd sounding cyber news would start becoming headlines across the globe. My creative mind is suggesting some possibilities below:
- ‘Deliver drone gets hijacked in mid-air’
- ‘GPS gets confused as Maps are distorted’
- ‘Implant pace maker gets remote controlled’
- ‘Malware cross credits salaries’
- ‘Bride turns out to be holographic image’
While this is from my wild imagination, it is naïve to think this is not going to happen. This could happen and could happen very soon.
The security architecture
Attacks to software application happen after the network and operating system has given way – this is in the simplest form.
Lloyds Insurance CEO puts the cyber crime costs to businesses at US$400 billion a year. This tells how much is at stake for the businesses and how important it is to secure our software applications.
Security threat modelling – the start
It is important to carry out security threat modelling before we jump into security review of the source code. While threat modelling is primarily to safeguard enterprise interests, it should be carried out from the Attacker’s Mindset rather than the Defender’s Mindset.
It goes beyond this post’s scope of describing threat modelling, but entities like OWASP have got resources that could help in doing effective threat modelling. Security threat modelling should consider the following:
- Sources of threats.
- Attack surface – defined through the application internal & external interfaces.
- Possible attacks – where can the salvo be served from.
- Potential business/technical impacts.
- Required controls – this is decided based on organisation’s risk appetite.
CyberSecurity Market Ventures projects an expenditure of US$1 trillion on cybersecurity initiatives from 2017 to 2021.
Build the right team
It is important that you build the right team to secure your software applications. You will need team members who have got expertise in thinking creatively on how an attacker can damage, and implement controls.
It is not the technical skill alone that makes a person a good security auditor/reviewer, but ability to understand the business context and review the applications that matter most.
Just a small addendum, DevOps stresses on security of application and there is a new branch of it called DevSecOps that is becoming strong. Software security is a moving target: ‘what was strong yesterday is fully vulnerable today’, and that’s the fun in it!
What I’ve given here is the start; there is more to secure software development.