Security Savvy: Building Secure Software from the Ground Up

There is a well-known idea within software development about any team having to choose between three interlinked concepts:

Delivering on-time
Delivering high quality software
Completing all committed features

In real-world scenarios teams often must choose two of the said principles, while in some way comprising on the third. There is however a fourth core principle that is often overlooked which is that of “delivering secure software”. This vital element of software development has the potential to affect the overall success of any project and it is crucial to pay close attention to all aspects of software security to honor the responsibility of a software professional as the proverbial “gatekeeper” of the client’s data.

A ground-up approach

Seeing that most software projects can be likened to building a house, it makes sense to apply software security within the same analogy. The cornerstone of any great building determines whether it will stand the test of time or crumble within the first day of inspection. In the same way, security in software should be considered a “day-one” priority when the initial project phase is kicked off. In a similar fashion to a surveyor assessing a plot of land before planning a project, so too should the security landscape of a project be assessed. Knowing the landscape can prepare and inform the whole team of common issues to look out for. Some of the prevalent issues facing software projects today include:

Denial-of-Service (DoS) Attacks: These are attacks which aim at disrupting the availability of a service or website, typically by generating a large amount of traffic or requests, rendering it inaccessible to legitimate users.
Injection Attacks: Exploiting vulnerabilities in software applications to inject malicious code or commands, such as SQL injection (an often occurrence when dynamic SQL is involved within a projects codebase), cross-site scripting (XSS), and command injection, which can lead to data breaches or system compromise.
Insider Threats: Threats originating from within a company or team. These can come from disgruntled employees or contractors, who misuse their access privileges to steal data, compromise systems, or partake in other malicious activities.
Zero-Day Exploits: Often occurring in software using untested or unverified third-party systems, these exploits target previously unknown vulnerabilities, for which no patch or fix is currently available. This allows attackers to exploit them before they are discovered and fixed.

Being aware and informed of these and other common threat surfaces, can better prepare a team to mitigate any risks. The team can go into the project taking pro-active steps in preventing common pitfalls from jeopardizing a successful delivery.

Men at work, Construction in progress

When designs have been drawn up and all plans have been approved, it’s time for the “men to go to work”. Bricks, cement and construction tools are delivered and the “boots on the ground” team are responsible for executing daily to the best of their ability. Similarly, a security assessment and plan are only as good as its day-to-day execution. During development and project iteration, teams should put sound security practices in place that adhere to industry standards and are well documented.

For daily coding, this could mean making use of static analysis tools that continuously scan the evolving codebase for known vulnerabilities in code. Apart from helping to foster a “security first” mentality, these tools are also great at examining a codebase that might be inherited for any retrospective areas that need to be addressed and to achieve a secure base for moving forward.

For coding configuration (a principle that is commonly found in projects that deploy to multiple environments) application secrets and other sensitive software information should be stored in a secure manner that minimizes and controls the access of who may see and edit this information. Keeping source-controlled repositories clear of these secrets and injecting them via an automated build process is one such practice that can limit the exposure of information that if leaked, could compromise a system’s data. Most modern cloud platforms like Microsoft’s Azure KeyVault and Amazon’s AWS Secret Manager also offer integrated services for storing and centrally managing application secrets. These services also typically integrate well with the rest of the platform’s services, making it easier to adopt in a project’s delivery pipeline based on the chosen cloud provider.

Additionally, an important part of developing secure software is implementing authentication and authorization according to industry standards and best practices. With constant evolutions in policies around user data storage and regulations, it can be challenging to implement an authentication framework within a project that keeps up with the changing landscape of information regulation. An authentication system within a project must be secure from the point a user enters their details on a login page to the way this vital information is encrypted in transit and stored for application retrieval. Teams who opt to deal with all this complexity manually can quickly find themselves spending most of their time and resources ensuring that this basic part of a system stays up to evolving standards. Although it offers the greatest amount of control over how the authentication must work, smaller teams might very well consider integration with third-party authentication systems offered by cloud providers. Systems like Microsoft’s Azure B2C, Amazon’s Cognito and Google’s Firebase Authentication offer turnkey solutions to best-in-class authentication. Common features include:

Effortless setup of sign-in/sign-up flows
Secure transit and storage of information which complies to safe data storage requirements
Secure information exchange via the OAuth2 protocol
The ability to opt in for federated account sign ins via social platforms such as Facebook, LinkedIn, Google etc. )

These are all great ways for a project to delegate the complexity of authentication with peace of mind that there are entire teams that make sure these platforms are kept up to professional security standards.

A clean home is a happy (and secure) home

Returning to our building analogy, we can liken the maintenance of a secure system to that of keeping our completed building clean and tidy as time moves on and the occupants (or for the system, its users) make daily use of the facilities. In the same way gutters need cleaning and lawns need mowing, so too does a software system need constant care as threat surfaces may shift and methods of attackers become more complex. Some basic routine practices can help keep a system secure after initial delivery:

Security patches for operating systems and hosting environments should be applied as they become available. If a system is cloud managed, most of these operations are handled by the platform, removing the burden from Dev/ITOps teams to spend time on these tasks
Access to sensitive resources such as app secrets and files should routinely be reviewed and kept in sync with changes in staff or relevant contractors. A system with expiring credentials is often a good way to make sure teams are kept accountable in terms of who has access during which part of a project’s lifespan
Package dependencies in source code should routinely be inspected for updates from vendors to ensure any discovered vulnerabilities are patched. Often this activity might cause some technical debt to accommodate breaking changes but upgrading in a timely fashion prevents security problems from exponentially growing further down the system’s lifetime as frameworks reach end of life.
Stakeholders of a system should also routinely be given training on security developments and best practices within their domain. This helps foster the mentality that security is everyone’s “problem” and can help raise the awareness of common exploits used in today’s technology economy
External security audits can also be arranged to assess a system’s compliance from time to time making sure that changes to a system have not introduced any new chances of compromise

Making a house a home and building for the future

When considering the broad spectrum of elements to consider in keeping a system secure, it becomes easy to appreciate how some professionals dedicate their entire careers to this evolving area of software development and design. It is a discipline that will keep evolving as technology does. With approaching security as an all-encompassing effort, involving all participants in the software journey, a project can be set up for success and resilience if there is buy-in from all involved and from the outset of the journey. With a team that is focused on a security first mindset, smartly chosen frameworks and tools, carefully considered policies and an efficient maintenance plan; any system can be taken from good to great. With an increasing number of businesses that turn to software and the digital realm for solutions, professionals and end-clients alike would do well to understand the critical role security plays in the future of their organization. Rome was surely not built in a day, and neither will one’s security practices be perfect from the outset. What remains though is that one should make secure practices an integral part of one’s day-to-day thinking, and in time, brick by brick, businesses will find themselves on a steady foundation, ready to make an impact and take their venture to new heights.