Skip to main content

Ensuring app security within software development lifecycle

security
(Image credit: Shutterstock / Song_about_summer)

In the last few years, many organizations from various industries, including retail, media, healthcare, automotive, finance, aviation, real estate, etc. have been affected by security incidents or data breaches. According to the 2021 Mid Year Data Breach QuickView Report released by RBS, there were 1,767 publicly reported breaches in the first half of 2021, which exposed a total of a staggering 18,8 bln records. According to IBM data breach on average costs $4,24 mln, the highest average total cost in 17 years. The vulnerabilities in applications and environmental configuration are among the major factors resulting in the success of cyberattacks.

What needs to be changed in existing software development and maintenance processes in order to strengthen security? Let’s have a closer look at the additional measures and process adjustments your company should make for the well-tuned and secure Software Development Lifecycle (SDLC).

What is a secure Software Development Lifecycle? 

The secure SDLC is about integrating different practices into existing software development processes. The right combination of such practices at various stages of the cycle at the right time allows your company to get a product with a very high predictable level of security.

Some of the main benefits of this approach are:

  • The software is safer because security stays in focus throughout the entire lifecycle. 
  • All interested parties are aware of security considerations. 
  • Issues are discovered early on, even before they are incorporated into the code. 
  • Costs may be reduced with early detection and elimination of vulnerabilities. 
  • The minimization of the overall internal business risks for the company. 

There are several frameworks and standards that can be used to embed those practices. For example, ISO 27034, BSIMM, OWASP SAMM, and others 

Penetration testing 

This is the first thing that might come to mind regarding safeguarding software security.

Pentesters typically assess the existing apps, endpoints, environment configuration, and security controls and identify gaps and weaknesses. In the end, such a report highlights those gaps and provides recommendations about additional measures if needed.

In a nutshell, the whole process includes:

  • Analyzing potential threats, defining goals, and activity planning. 
  • Gathering information about target systems through various techniques. 
  • Vulnerability analysis aimed at identifying potential weaknesses that could be used to achieve pentest goals. 
  • The exploitation phase when the pen-testers validate and exploit the vulnerabilities they had identified earlier. 
  • Post-exploitation phase to maintain persistent access to the system and to identify new potential attack vectors. 
  • Results analysis and a final report including the findings and recommendations on how to mitigate identified issues and protect your system. 

It has been extremely popular lately as it allows to reveal system vulnerabilities, identify high-risk weaknesses, prioritize threats and get valuable recommendations on removing them. Despite the obvious advantages, it also has a number of drawbacks:

- It’s only testing. To improve your app security you would need to implement the recommendations provided. This means that if you run penetration testing right before the app release, you may simply run out of time to fix the problems discovered. Especially if they require substantial changes to the system.

- High costs. Both the testing itself and the fixing of the issues identified. It is important to understand that there are not so many skilled pen testers who can thoroughly check your application, find and exploit even the smallest vulnerabilities in it. Another cost driver is the investment required to fix the issues identified. Quite often those fixes may require deeper changes in your solution (even at the architecture level) driving substantial costs as you may identify them late in the development lifecycle.

- Maintaining continuous security. Pentesting allows you to find the issues at a particular point in time. However, it cannot ensure your next release will be free from them. Thus, you will either need to conduct tests before each release or add other security activities that will allow you to find or even prevent the emergence of vulnerabilities before the penetration test.

It’s vital to incorporate security into every phase of the cycle in order to identify and fix potential problems at earlier stages and at lower costs. 

Incorporating security into every phase 

Implementing a secure framework throughout the software development and operations cycle is not an easy thing to do.

If your organization doesn’t ready for a full switch to Secure SDLC, you still may at least pay attention to the following aspects:

- Security practice for development teams. Understanding common vulnerabilities and how to mitigate such problems will allow your company to avoid security issues and come to final testing with a minimum number of potential issues.

- Threat modeling or threat assessment practice. It’s a risk-based approach to designing secure systems, based on defining threats in order to come up with measures to mitigate them. This activity can identify, evaluate, and manage system threats, architectural design flaws, and recommended security controls. Regular threat modeling ensures that the planned implementation is safe and important measures are not forgotten.

- Security requirements. Focus on such requirements are crucial in the context of software security. The presence of those requirements before the development of a specific product functionality helps to avoid problems with implementation and subsequent testing. For specific examples that might help as a baseline, you can adopt requirements from OWASP Application Security Verification Standard. If you have a mobile application, you can use Mobile ASVS for mobile apps.

Conclusion 

Implementing security in SDLC enables businesses to streamline the development process by addressing the root causes of security issues as early as possible. It’s important to remember that security-related activities should not end after the completion of the development phase. Security should be an inevitable part of the whole operation phase. With the growth of your business, it is recommended to increase the maturity levels of your security practices. 

Dmytro Tereshchenko, Head of the Information Security Department, Sigma Software Group

Dmytro Tereshchenko is the Head of the Information Security Department at Sigma Software Group with over 16 years of experience in IT.