Software development is a complex process that typically requires a lot of time and effort. The pressure on developers to churn out new features and meet deadlines is immense, which means coders often do not have the time and flexibility to follow secure development best practices as they would prefer.
When adequate security measures are not followed in writing software code, the organization exposes itself to increased risk through the potential exploitation of vulnerabilities which can lead to a data breach. The damage from a data breach can be severe in terms of brand reputation, financial loss, fines and penalties, and customer retention among other risks to the organization.
At SEWORKS, we understand that building application code in a secure manner is not an easy task for organizations. We are also aware that not every organization has adequate resources to implement appropriate security strategies on their own. Given these challenges, we recommend the following 8 security measures.
- Security by Design: It is important to consider how to implement security in the application design phase. Needless to say, it costs less time and requires fewer resources when compared to figuring out how to add security after a software application is built. Creating a product architecture backbone with integrated security measures will help organizations both in the long and short term.
- Secure Coding: Security strategies followed during the design stage are ineffective if secure coding practices are not in place. Secure coding practices should be followed regardless of devices and programming languages used by developers. Open Web Application Security Project (OWASP) provides its Secure Coding Practices Quick Reference Guide that organizations should follow. Moreover, the SANS Institute (SANS) and CERT provide secure coding training.
- Monitoring: After secure coding, consistent security monitoring is required. This is to help organizations identify where security threats come from and respond promptly to risks. Monitoring includes internal devices, such as server and firewall logs, and external ones like cloud and Managed Security Systems Provider (MSSP) logs. There are log analysis tools and Security Information Event Monitoring (SIEM) platforms that organizations can utilize for security event log monitoring. For effective security monitoring strategies, CREST offers in-depth guidelines.
- Vulnerability Assessment and Patch Management: Even with security by design and secure coding practices, there may be vulnerabilities that organizations are not aware of. This is why we recommend conducting vulnerability assessments on the staging server to discover any potential vulnerabilities. Armed with the results from the assessments, organizations can roll out efficient security patches so that the security status is up-to-date. We recommend automating this process by utilizing vulnerability assessment and security patch management tools for an efficient and secure DevOps cycle.
- Offensive Security: Vulnerability assessment is useful but has shortcomings. Looking for security weaknesses from an attacker’s point of view can reveal even more valuable results. Offensive security is practical as it focuses on critical points that attackers would take advantage of, rather than low-grade vulnerabilities that don’t mean much to them. Offensive security practices are usually done by internal red teams and/or ethical hackers. They simulate attack scenarios to assess how the targets respond and check if they can be compromised. And these penetration tests are often done without the rest of the organization’s knowledge so they don’t add extra security measures during the test period. We understand that not all organizations have access to red teams or ethical hackers. As an alternative to human testers, a penetration testing solution such as Pentoma® can be utilized to automate the offensive security efforts.
- Verified APIs/3rd Party Modules: It is common to plug-in various APIs, SDKs, and other third-party modules to create a more efficient flow in web applications. Using them is great, but it is important to check if they can expose your web application to security risks. As security threats are increasing daily, we are starting to see organizations asking 3rd party vendors to provide security assessment results so that they are aware of the security status of tools they employ.
- Up-to-date SDLC Software: As agile development and CI/CD platforms have been popular, there are many software options organizations can choose to help their software development lifecycle (SDLC). Commonly used ones include Jira, GitHub, Jenkins, and Docker. Using them can benefit the SDLC, but organizations should always install the latest version of the software. When new vulnerabilities get discovered, SDLC-related software vendors patch them and release new versions. Employing old versions puts organizations under increased security risks and provides attackers a way to get in.
- Database Encryption: Database encryption transforms data stored in a database into ciphertext so the stored data is not in plain text. This is a preventative measure that even if attackers get access to the database, there will be an extra hurdle for them instead of taking all sensitive data in a comprehensible form. There are database encryption tools in the market provided by AWS, GCP, IBM, McAfee, Microsoft, and other vendors.
We know developing and implementing web application security strategies is challenging. We hope our recommendations can be a starting point for organizations, especially the ones without sufficient security resources. If you have any questions about your web application security, feel free to reach out to us at firstname.lastname@example.org - we will be happy to provide a consultation.