Creating a Secure Development Culture:
The Why (Part I)

By Dale Bingham and Dave Gould


Over the past several months, it appears cyber security attacks (ransomware, stealing login/password, network security breaches) have been on the increase. This is probably not news to you if you are reading this.  Whether it is the SWIFT banking episodes, login/password combinations stolen months (or even years) ago being used now for breaking into people’s other accounts.  Even thinking “back” to 2015 and the massive OPM breach, we all keep hearing more and more about this. Theft of personal information, of money, of health information and causing havoc (think of the Ukrainian power hack) are all around us. Add to all of this the fact that we are (at least in the United States) a 100% connected society in all we do – arguably making us vulnerable 100% of the time. Our refrigerator can talk to our phone and identify the food inside it at that very moment (that is pretty cool)! We use our Wi-Fi network for opening and closing our garage, turning on and off lights, setting HVAC controls, as well as sharing our soccer and horse pictures from weekend events. And of course our kids are online with tablets, computers, and smartphones as much as parents will let them.  And do not even get me started on the whole Internet of Things (IoT) race and how functionality and speed are at the forefront and security is a distant third (insert soap box). We must get better at this security thing!

To help us battle with cyber threats, our network security and defenses over the last decade have gotten much, much better. We have layered defenses. We have anti-virus and malware scans. We have updated patch cycles to keep up to date on the latest security patches. We have firewalls and DMZs and biometrics all around us now. And we are starting to see a bit more training on security issues and social hacking and phishing attacks to raise awareness and defenses against those types of attacks (and so they know how to spell phishing). Now it is time for the software developers to get serious on security. That means making security a critical component during design and process, not just doing the minimum to meet a standard or a particular specification. It is so much easier, quicker, and less costly to do this properly up front than to retrofit it later when required to, hoping the retrofit does not break something along the way. Do it right. Do it up front. Get it done.

As a computer science guy and a software developer, I take personal responsibility to correct this myself and to educate and involve others around me to do the same. We need to create a secure development culture where security concerns are brought up, thought through, and designed into what we create.  We must begin with security in mind for anything we do in developing software and systems. It needs to start on the white boarding, brainstorming, napkin writing sessions, and continue through the architectural designs, prototyping, development, testing, and production. Warning: this may take a while. But it must be supported from the top levels to allow time to get this to work.  This includes, dare I say, leadership!

Here’s just one example of why we need to do this. Within the last year I had a team that performed an audit of an application that has been in use for several years in a production environment. It is a web-based application used by governments locally and worldwide that talks to REST services with a login/password combination and is a pretty complex piece of software, I must say. It has been in development for several years (with different teams of course) and is going through some major modifications to add functionality. As our team dove into the actual code (manually as well as with active and passing code scanning tools) and investigated the code and the data it saved we found a few things that had to be fixed right away: passwords saved in plain text in 5 different places (I know, right!!!); very little input validation at all; running the application as an administrator (not a least privileged user); and not all REST endpoints revalidated the user and their session or restricted REST calls based on roles. As we started to point these out and explain why we needed better control, the group understood it. However, this level of security was not something they were used to. And we still struggle today as we offer ways to better secure their application and information. We will not give up though.

Please do not get me wrong: these developers are good people and are not trying to do things incorrectly. They just do not have a strong culture of security in the organization and were not taught the importance of this at college (that is a problem we need to fix) or on the job. Speed and functionality are the sexy side of software development. Taking an idea and creating life from it is exciting! However, this has to, HAS TO, include security from the onset – during the brainstorming session or design discussion, well before any code is written. We must have a balance of security, safety, privacy, and functionality for the intended purpose and for the intended users. That has to start now for us to have our software development process more secure and our applications harder to break into.

Next week, I’ll talk about my thoughts on “The How” – the steps necessary to create a secure development culture.

 

The authors, Dale Bingham and Dave Gould, are co-owners of Satismo, a Global Cyber Alliance partner. You can follow them on Twitter @Dale_Bingham, @degthat, and @SatismoSecure.

Editor’s Note: The views expressed by the authors are not necessarily those of the Global Cyber Alliance.