Friday, 26 May 2017

Secure Software Development

Overview

Software development has been a profession taken as just a career but the solutions implimented have a high impact to users and the industry.
Not only should the intended solution be achieved but the new aspect of data security and integrity of the data must be maintained.The value of the solution should be based on Data integrity ,flexibilty,agility ,user confidence et al.
Applications are increasingly targeted by attackers, which demonstrates the need to build security into an application from the very beginning.  Thus the need to forge a secure and reduce risk in approaching a product develooment


Introduction

Developing secure software is critical to a company’s reputation and bottom line. The impact of a software malfunction or security breach can result in a massive recall, millions in lost revenue, the loss of sensitive customer data.
Faced with having to maintain software quality and security while accelerating innovation, companies with internal defined standard code development processes are looking for new ways to further reduce wholesome program risk. Traditionally, companies would perform security testing near the end of the software development lifecycle, before the product release but that process can put release schedules at risk and l defects found cost more to sort them out.
To more effectively address security, some of these companies are now adopting secure development lifecycle initiatives where security deliverables are inserted in all phases of development. As a result, companies are finding that the benefits of fewer security incidents, faster time to sort out issue incidents and earlier visibility into areas of risk far outweigh the costs of implementing these initiatives.

Developing secure software is still a challenge

Developing secure software is a tough challenge that confronts IT teams – both security and development
teams. Traditionally, computer science programs have focused on producing programmers with a foundation to become
good application developers but not necessarily security experts. As a result, developers are unaware
of the different ways they can introduce security problems into their code.


  1. Misaligned priorities - Development teams are focused on product innovation to meet business needs. Vulnerabilities eminating from code defects are seen as potential problems, therefore not a priority compared to feature functionality and on-time delivery. QA teams are concerned about buggy software and customer dissatisfaction. Security teams are focused on the availability and protection of sensitive assets – they are tasked with securing in-house and commercial applications, often having to address vulnerabilities exposed by software code after it is deployed.
  2. Misaligned process - Security audits and QA testing happen at the end of the development cycle where issues are most expensive to fix and when developers are focused on getting the release out and moving on to the next release. Audits are typically done late in the cycle to avoid having security experts review and re-review code that is likely to change before release. Also, security audits typically happen outside the standard development workflow, which means developers are likely to ignore security issues identified during the audit because it is hard to go back and change “working” code without causing an expensive and lengthy testing cycle. Therefore security issues identified late present business stakeholders a difficult decision between time to market and security.
  3. Misaligned tools - Developers resist changes to their workflow and find it difficult to use tools designed for security experts. They require too much security expertise and do not provide directly actionable information for fixing defects. Putting security auditing tools in the hands of a developer is not a practical solution as these tools are designed to find every possible issue resulting in a high false positive rate. Developers will often ignore the tools analysis results if they have to wade through a high volume of noise to identify critical defects that must be fixed.

Unfortunately as we know, all too often defects ignored or overlooked during the development process end up causing major issues down the road. Due to the rapid growth of software based solutions, we are at that uncomfortable stage in the history of software development where we are seeing firms suffer businesses disruption and negative publicity because they failed to manage risks posed by insecure code practices. Attackks as a result of application vulnerabilities have been reported across industry segments and geopolitical boundaries as we have seen recently with the wannacryt ransomware.

Way foward

In software development, security element needs to be brought in from all aspects of the software development process – it is only by pushing past the operational view of security that we can begin to build software systems that can stand up under attack. Security defects can, and should be treated like software defects and managed as part of the development process. A distinction between security and quality can sometimes be put as one; the bug that generates as
a system failure could be exploited by an attacker tomorrow.

For secure solution the important people to be involvd are the builder of the solution/code -the software developers.