The explosion of application development techniques has been a boon to the software industry. It’s easier than ever to put together an application and start delivering value for customers who can come from anywhere in the world. Unfortunately, the same is true for hackers that are looking to attack your application. As the industry grows more connected and contains more valuable data, hackers have become more sophisticated. They’re no longer kids in someone’s basement messing around with DDoS attacks. Today’s hackers are blessed with such advanced open-source tools that they can command massive botnets at the click of a button. Breaking into someone’s computer has moved from mere attempts to extort money from dismayed victims, to fulfil vested interests of hostile nation-states for hefty bounties. Secure development isn’t an option if you want to protect your organization’s livelihood and customer base against these attackers, it’s a necessity. Here are some secure development practices that you should follow to get started:
Secure development is a critical first step
Insecure coding practices, such as using a password that can be easily guessed to protect your application’s user login information or failing to perform input validation on data being sent from the client-side, can lead to vulnerabilities that hackers will exploit. Secure development also means encrypting all of your company's data and communications (to prevent man-in-the middle attacks), ensuring secure authentication methods are used to verify customer’s identities (e.g. SSL certificates), and enforcing strong passwords for high security applications like financial transactions.
Secure application architecture and decentralization
It’s important to ensure that your app architecture itself is secure. This involves making sure that no single point is responsible for too much of the app’s security. If you have centralized servers that handle all your data, hackers just need to break into one system in order to get everything they want. Secure application architecture means decentralizing as many pieces of the process as possible so that a single hacker can’t bring your entire infrastructure down with a well-placed attack on one node.
Decentralization is something that takes effort from DevOps to implement effectively. There are various benefits of bringing development and operation towards a common goal. To begin with, DevOps decreases friction between various stakeholders in the development process. However, DevOps is not considered a boon for AppSec people in your organization.
Secure DevOps or DevSecOps
DevSecOps is a practice that insists on bringing security left to your software delivery pipelines. At a time when DevOps practices dictates continuous integration, delivery and testing, security can take a backseat and slow down the delivery considerably. Unlike traditional software systems where security analysis is the last step of the process, DevSecOps recommends security analysis at each part of the pipeline. Developers should write secure code. Operations must run security audits on the infrastructure before deployment. Quality analysts should check the application not just for bugs, but also against known security vulnerabilities.
No matter how secure your application code and infrastructure is, there’s always a way to break in and steal information regarding your users and employees. It’s always a cat and mouse game and in order for organizations to beat the bad guys, they have to think like them sometimes.
Leading tech organizations, including cloud vendors, invite white-hat hackers to their campus and reward them for successfully breaking into the system. That way they can learn about the security vulnerabilities before a bad guy does and patch them on time. Safe harbor is the reason Microsoft leads the way when it comes to enterprise security.
With secure development, DevSecOps, and secure application architecture taken care of, you should be off to a good start ensuring that there are fewer risks for potential attackers to exploit. But this doesn't mean it's time to let up on monitoring what goes on within your own systems. Security monitoring includes keeping track of your application’s traffic and the data it processes. Secure application architecture means your developers will need to write custom code for how information is sent, received, and stored, which makes security monitoring all the more important so that you can spot any unexpected activity or behavior that could indicate a breach has occurred.
Responding to security breaches
Security monitoring also includes allowing your company to be proactive in responding to breaches. Regardless of whether or not hackers successfully break into your system, they’ll still leave traces behind from their attempted attack such as IP addresses of where they came from, fake accounts used by bots looking for vulnerabilities, and other clues about what went on while they were inside. You should make sure there’s someone keeping an eye out 24/7/365 (or whatever schedule works best) that knows how these hackers operate, what they want, and how to deal with them once they’re in the system. Security monitoring also means creating a task force who can quickly spot these breaches and respond before too much damage is done!
Transparent security policies
The enforcement of security policies that secure your organization’s IT from external and internal threats isn’t just the job of your security team. Organizations handling large sets of personal data keep their policies public so that anybody can assess their effectiveness against incoming threats.
If your organization encrypts data at rest and in transit, then you should make your encryption algorithm public. The best practice would be to use one of the open-source encryption algorithms that has been already audited multiple times and is sure to be irreversible.
Secure development is a critical first step. Secure application architecture ensures that no single point of failure can bring your entire infrastructure down. Security monitoring and response allows you to be proactive in dealing with breaches, including knowing how hackers operate, what they want, and responding before too much damage is done.
Rare Crew is a software development company that follows secure development practices to ensure you don’t sacrifice security for functionality.