Implementing a Secure Software Development Life Cycle — Part 1
For decades, the typical software development process has been implemented by many organizations to cover their software needs, including the automation of manual processes for better efficiency or the expansion of businesses over new technology platforms, this model has generated profits and aid in the transition to a more technological world. However, the increasing risks associated with insecure software have brought the attention of many to acknowledge the need for integrating security into their software processes, which doesn’t mean just buying new security tools to plug in into their software products, but instead changing the whole software development process to embed security as an integral part on each and every stage.
We have to admit that the addition of security to the process involves a challenging transition that requires changing paradigms in multiple levels of the organization, as well as investing large amounts of money upfront with long-term returns of investment. Nonetheless, once you have gained speed and achieved a mature state the benefits are considerable, not just on the IT security area but in general for the whole organization, by making your processes more efficient you are able to reduce costs and strengthen your technology posture so you can develop flexibility and confidence to take new businesses or implement strategy changes knowing that you are well positioned in regards to technology.
In this 3-part article we will take an overview of the implications of implementing a secure software development process for an organization, starting with the evaluation of risks and costs involved. Then we will jump into the details of what a secure development process looks like. And finally we will review some challenger you may face during the process.
Why even bother?
Before jumping into the details of how a Secure Software Development Life Cycle process looks like, it is important to understand the reasons why you need such thing and what are the impacts and benefits it would bring to your organization. By default, you may think that a complete secure state should be better than an unsecured one, however, each organization has its specific needs and priorities, what works for some is not necessary the best for everyone. The first thing you need to do is to understand your organization’s security posture and identify, categorize and prioritize your specific risks to then take informed decisions, considering that security is a continuous improvement process and not a binary state.
Regardless of the actions you take (or do not take) for securing your software development process, it is vital to acknowledge that the cyber security risks are imminent and that the impact of certain security incidents could have devastating consequences, including high costs as well as possible damage to the reputation of your organization.
But more than thinking on the security incidents you would prevent from happening, implementing a Secure Software Development Life Cycle is also an opportunity to improve the customer experience, not just by making your application safer but also by improving the overall quality of your products, consequence of a more efficient software development process.
The costs of not having a secure process
Security is seen by many simply as a cost that will never provide a return of investment, until a security incident happens and generates losses much larger than what they could have invested to secure the processes. So, it is important to accept the fact that the risks are real, but it is just a matter of properly identify and prioritize them so you could make better use of your money by investing on securing what is most important to your organization first, although you have to keep in mind that it may be a long-term investment and you may not see the returns until years later.
The cost of fixing defects
A defect is a condition in a software product which does not meet a requirement or end-user expectation, in other words, it is a fault in the code or logic that causes a program to produce incorrect or unexpected results. There are multiple kinds of defects, including business requirements, technical requirements, environmental, security, etc. The software defects represent a high risk that affects the quality of your product and in consequence the user experience, they could also be seen as sinkholes that generate large costs if not handled properly, here is where a well-thought and implemented software development process comes to help.
In particular a secure software development process, one that includes the regular software development practices plus a particular focus on security, will help to improve not just the quality of your code but also to reduce the threat surface of your software products, helping to reduce the costs of fixing defects as well as the costs of security incidents, which in turn will have a positive impact in the overall security posture of your organization.
Another important aspect to consider when evaluating the costs of defects is the fact that the more time it takes for them to be found and fixed, the more costs they will represent. In the following table, presented by Steve McConnell in its book Code Complete, we can see the exponential relationship between the stage (or the time) when the defect is found and the relative costs it represents, fixing a defect after the software has been release may represent 10 to a 100 times more costs than if found during the requirements phase. This is based on the fact that the more elaborated and complex a feature in a system is, the more dependencies and difficulty it involves to make any changes to it.
The same idea applies to the costs of security incidents, the more time a vulnerability exists on the software the bigger risks it represents, as it will give more time to the attackers to identify and exploit it without being detected, additionally, if the attacker finds more vulnerabilities, the risk of having a more impactful security incident grows exponentially. So, when you implement a secure software development process, you are not just improving the quality of your product but its security as well.
The costs of security incidents
A security incident is an event that leads to the violation of an organization’s security policies which may put it at risk. Security incident is a broad term that includes many different kinds of events, including:
· Ransomware attack
· Data Breaches
· Denial of Service
· Destructive Attacks
· Malware Infection
The costs of these incidents vary from case by case, depending on factors like the sensitivity of information or system being compromised, the number of hosts damaged, the number of sensitive records exposed, the costs of recovery, etc. In addition to any possible legal implications from government regulations or lawsuit from people or other organizations directly affected.
To get an idea of the possible impacts of a security incident, we can refer to the 2019 Cost of a Data Breach Report presented by IBM, the report takes into account hundreds of cost factors from legal, regulatory and technical activities, to loss of brand equity, customer turnover and drain on employee productivity and is based on interviews with 507 companies who experienced a data breach between July 2018 and April 2019.
The key findings presented on the report are the following:
· Lost business was the biggest contributor to data breach costs
· Data breaches impacted organizations for years
· The lifecycle of a data breach is growing
· Malicious cyber-attacks were the most common and expensive root cause of breaches
· Human error and system glitches still cost millions
· Small businesses are hit harder proportionately
· Cloud migration, IT complexity and third-party breaches were cost multipliers
· Encryption, business continuity management, DevSecOps and threat intelligence sharing were cost mitigators
· Companies with incident response teams and extensive testing saved over $1.2m
· Automation of security reduced costs
· Region and industry impact cost
· The odds of a data breach are increasing
Based on these findings we can clearly see the importance of implementing a secure development process, including secure coding practices, proper security testing and a complete software defect management strategy. The cost savings of implementing these secure practices elevates to millions per data breach, so considering the last point in the list saying that the likelihood of data breaches to happen is increasing, we can undertake that the investment of security is more profitable throughout the time.
At the end it will depend on your organization’s risk and priorities to decide how much you want to spend in security and how much risk you are willing to keep, but it is important to highlight the importance of taking some action.
From the words of Robert Muller, a former Director of the FBI:
“I am convinced that there are only two types of companies: those that have been hacked and those that will be. And even they are converging into one category: companies that have been hacked and will be hacked again.”
Alright, I get it, now what?
You may think that all this cyber insecurity idea is overwhelming and may not know where to start, the reality is actually not as bad as it seems. For example, we can refer to the 10/80/10 model, which is a theory of leadership that addresses group dynamics, and even though the theory originated in a corporate world, it is highly relevant to cybersecurity as well. In this model, all the people fall into three distinct areas:
In this model, the first group is completely fine, you don’t even have to worry about them, they could even help as a model for others to follow. The second group, is not the most dangerous one either but it is still something you have to keep observed and controlled. The last group is the one that makes it challenging, as they usually have a greater motivation and will work hard until they complete their objective, although the probability of getting hit by this group is considerably smaller.
By looking at the most dangerous 10% you may think that this is the first thing you need to address right away, but before jumping into it you need to understand the other 80% of opportunists. An opportunist is not actively looking to take advantage of a situation, but if he sees the opportunity and the consequences are minimal or none, he will do it, the key here is to reduce the opportunities and make it harder for them to take advantage, this can be done by implementing simple controls like stronger encryption or input sanitizations, other vulnerabilities may be more complicated to fix but at the end is just a matter of implementing basic controls first. The good news is that doing this is easier than stopping the other evil 10% from harming you, think on this as the low hanging fruit that in fact would have a larger impact in your process of improving your security, additionally, it will prepare the ground for addressing the other 10%.
