Security for Software

SW Security

Software developers are typically focused on delivering an application that functions to meet operating objectives and facilitates user productivity.  Yet, if an attacker can gain unauthorized access into the moving parts of the application, users and the enterprise can be compromised.  Developers and end-users benefit from a guided process from information security professionals to inject security into completed applications.  Two industry-accepted frameworks of knowledge can guide the process: CSSLP (Certified Secure Software Lifecycle Professional) (ISC(2)) and CAPM (Certified Associate Project Manager) (PMI).  Apply eight domains of knowledge to inject security into application development, guided through the five core processes of project management (initiate, plan, execute, monitor & control, close).

 

CSSLP: 1. Concept. 2. Requirements. 3. Design. 4. Implement/Programming. 5. Testing. 6. Lifecycle Management. 7. Software Lifecycle. 8. Supply Chain & Software Acquisition.

One. Concept.  Apply security concepts for the software based upon its use and sensitivity of the data it may interact with (e.g. premise, web, mobile, e-commerce).  Apply risk management to identify security controls needed for its operation, to secure the user experience, and to protect the integrity of all data the application interacts with.

Two.  Requirements.  Identify key security objectives, expressing which security controls will provide the CIA triad (confidentiality, integrity, availability; e.g. open connection, hash checks, digital certificates, encryption, restore time), and the AAA’s (authentication (single, two-factor, or multifactor), authorization (entitlements), accountability (audit trail for log of connections), and session time, to minimize the attack surface of the application.

Three. Design.  Introduce design of security for the application to reduce its attack surface.  How will the requirements for security in the application be designed in the functionality of the application?  Be versed with attack vectors and their goals; use threat modeling to infer needs from design.  Apply STRIDE into security design (spoofing, tampering, repudiation, information disclosure, denial of service, privilege escalation).  Apply security controls approved from requirements phase, that will include secure interface design (i.e. landing page for entry, authentication, authorization (to assets), accountability (audit trail of logins).  Follow software development method used for project (e.g. Waterfall (small defined projects), prototype (build to customer spec), spiral (mix of waterfall & prototype), agile).

Four. Implement/Programming.  Collaborate with application developers to write security controls into the software that were identified and prepared in the design phase.  Integrate injection of security controls into phases of the development project.

SW security testing

Five. Testing.  Code review. Use a controlled environment to test functionality of security for the application; how will it respond to correct use, mis-use, malicious tampering, and cyberattacks.  Testing includes controlled environments, white box testing (knowledge of code), user-acceptance testing (user experience), and black box testing (no knowledge of code).

Six. Lifecycle Management.  Identify the need to create and apply hotfixes, patches, service-packs, or version updates of security for the application through its lifecycle to minimize the attack surface.

Seven. Software Lifecycle.  Manage security during the lifecycle of the application to ensure security controls are maintained.  Application is rolled out to production environment in controlled phases, which also ensures its security.  Detective controls often include periodic risk assessment, application scanning; preventative controls include remediating important vulnerabilities.  Users should be trained how to report security incidents related to the application to the helpdesk.  The application will be decommissioned when use or market conditions dictate its end-of-life and support.

Eight. Supply Chain and Software Acquisition.  Perform a cost-benefit analysis of whether the security for the application should be developed or bought.  Analyze security and policy compliance of third-party software.  Development will often include escrow of software code.

Software security is a planned, deliberate process designed to contribute to the objectives of application development.  RiSe Solutions can coordinate the above process during application development within Staffing Partner, whether in a project or full-time employee.  If you’d like to discuss staff augmentation, please click “Request A Consultation” at the base of riseit.net, write “Software Security” in the subject line, paste the email signature of your product director in the message body; I reply within 24 hours to schedule a call within your calendar. ###

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s