Keeping your security knowledge sharp
The National Cyber Security Centre has provided 8 development principles to help you improve and evaluate your development practices and those of your suppliers.
https://www.ncsc.gov.uk/collection/developers-collection
Secure development principles:
1. Secure development is everyone's concern
Genuine security benefits can only be realised when delivery teams weave security into their everyday working practices. Effectively embedding security in the development process is likely to require cultural change.
2. Keep your security knowledge sharp
Creating code that is capable of withstanding attack requires an understanding of attack types and of defensive security practices. Your level of understanding in these areas must be regularly updated if it's to remain useful.
Use collaboration & publication platforms to share and check off the knowledge.
Favourite (https://Notion.so https://slite.com https://coda.io)
3. Produce clean & maintainable code
Your code needs to have consistency, good structure and be documented. If you or your suppliers fail this then there is a problem for security because complexity hides bugs, some of which may result in security vulnerabilities.
Tip: Create a playbook or guide for your business. See tools in point 2
4. Secure your development environment
There is sometimes a perceived conflict between security and usability.
In today's environment, this is not an excuse.
Read up on design patterns and bake in security with attention to end-user devices.
https://www.ncsc.gov.uk/collection/end-user-device-security
5. Protect your code repository
Your code is only as secure as the systems used to create it. As the central point at which your code is stored and managed, it's crucial that the repository is sufficiently secure.
6. Secure the build and deployment pipeline
The security of this process is critical if you need to protect the integrity of your code and the systems it builds. Security should, however, work with this process, not hinder it.
Like: Embrace 'DevSecOps' approaches to gain confidence in your services. https://www.devsecops.org/
7. Continually test your security
Testing during software development is well recognised as good practice. It helps you gain confidence that the code you are developing is functioning as intended. You can gain confidence in the security of your products and services in the same way.
8. Plan for security flaws
All but the very simplest software is likely to contain bugs, some of which may have a security impact. Having accepted the inevitability of such problems, make a plan to find and fix them.
https://www.ncsc.gov.uk/guidance/vulnerability-management
