Securing Your Software - Be Ready, DON'T Get Ready

Software security has always been misconstrued as IT Security. Whenever people are asked 'Is your software secure?', the reaction is "We have firewall". :-). Well, it is high time people get more knowledgeable...!

With the advent of digital age, when all, well almost all, software applications are on the web and mobile. This leads to applications falling prey to attacks from various corners where people are continuously sniffing for such vulnerable software. Many enterprise also works with a false comfort that 'my application is not external facing and thereby not prone to attacks'. OWASP - the most popular online security community - tells that many of internal facing application also has been prone to attacks, often more than what is thought of.

It would not be long that few odd sounding cyber news would start becoming Headlines across the globe. My creative mind is suggesting some possibilities below: -

While this is from my wild imagination (if something is already happening, God Save The World) , never think this is not going to happen. This could happen and could happen very soon...!

The Security Architecture

Attacks to software application happens after the network and operating system has given way - this is in the simplest form.

Lloyds insurance CEO puts the cyber crime costs to businesses at $400 Billion a year. This tells how much is in stake for the businesses and how much it is important to secure our software applications.

Security Threat Modeling - The Start

It is important to do security threat modeling before we jump into security review of the source code. While threat modeling is primarily to safeguard enterprise interests, it more should look from Attackers Mindset than Defenders Mindset.

It goes beyond this post's scope of describing threat modeling, but entities like OWASP have got resources that could help in doing effective threat modeling. Security Threat Modeling should consider the following: -

• Sources of Threats
• Attack Surface - defined through the application internal & external interfaces
• Possible Attacks - where can the salvo be served from
• Potential Business / Technical Impacts
• Required controls - this is decided based on organization's risk appetite

CyberSecurity Market Ventures projects an expenditure of $1 trillion on cybersecurity initiatives from 2017 to 2021.

Build the Right Team

It is important that you build the right team to secure your software applications. Right people are the ones who have got expertise in thinking creatively on how an attacker can damage, and implement controls. It is not the technical skill alone that makes a person a good security auditor / reviewer, but ability to understand the business context and review the application matters most.

Just a small addendum, DevOps stresses on security of application and there is a new branch of it called DevSecOps that is becoming strong. Software security is a moving target, what was strong yesterday is fully vulnerable today, and that's the fun in it...!

What I've given here is the start, there is more to Secure Software Development...! Happy Securing...!

#softwaresecurity #securecoding #csslp

Cover image credit: http://edgeone.com/wp-content/uploads/2015/07/software-security-pic.jpg