One of the most critical thoughts in a CIO’s mind these days is Cyber Security. Hardly a day goes by without the media setting out how a major organisation has been hacked, it’s website compromised or information stolen.
There are many ways that a corporate network can be secured by using hardware and software solutions. Training and education programmes educate users and the CIO and Network Security head keep up to date on Cyber Security trends by using social media and corporate events.
One of the major development areas right now is extending the corporate network to provide remote access and opening up internal systems to external access by the organisation’s road warriors for public locations. A second thrust is to provide potential and existing clients with access to a limited sub-set of corporate functions, for instance, order tracking.
The deployment of VoIP is also a potential vector for hacking attacks. However, one area that is often overlooked is the introduction of potential security holes when developing new applications. How do you guard against doing this?
In development terms, Cyber Security is preventing the unexpected actions that can happen when an application is executed, particularly those that allow a user to do things that are not allowed.
While it must be recognised that developers may introduce vulnerabilities deliberately, perhaps to ease later access to the system by providing trapdoors that bypass application security, there are many ways in which the threat can be minimised.
A further threat is that of time and financial pressures. Applications can be released before they are ready, and in effect, the user carries out that later stages of systems testing. This needs to be resisted, but often financial considerations take priority.
The follow-on to this is that the development process must be monitored and measured to ensure that security risks are minimised.
This means that security must be built into the software design and development cycle. Some commentators are going as far as saying it is no longer a software development lifecycle, but a security development lifecycle.
It further means that designers and developers need to be fully up to speed on potential threats in development software, development techniques and integration with the existing corporate network environment.
There must also be regular security reviews built into the development and deployment process.
To look in some more detail:
Security is not an option
In most environments security is not an option. A bug or loophole in the control software of a fly-by-wire aircraft or robot used in the production process could have fatal results. Data theft could be equally damaging to an organisation.
The first step is a recognition that security is not an add-on, but a vital part of the development process. This may require a new or modified development process in the organisation.
Security as an essential part of the Development Lifecycle
There are two major considerations here:
Keep designers and developers up to speed on security matters, so they can choose the most secure tools and techniques.
Some tools are better than others. As an example from the open systems world, OpenBSD, a free version of UNIX, has had only two potential vulnerabilities reported in the last twenty years.
Developers and designers need to review their development and operating environments to ensure that they are not relying on vulnerable software. They also need to periodically review their design and development standards to ensure that they are up to date with current vulnerabilities.
Areas to consider include
- Security requirements in the application design
- A review of the types of user that will use the application and design security accordingly
- Choosing appropriate development tools and techniques
- Considering how data will move through the application and how it is to be secured
Add security reviews and vulnerability tests, for instance, penetration testing on new developments as part of the normal development process.
Make security part of the acceptance criteria.
It is generally thought outside ICT that security is a network security and the hardware, software, and procedures needed to protect the corporate network. That is not the whole story. Security threats and vulnerabilities can be introduced with in-house developed software and a well-educated and well-informed design and development staff are needed to prevent that happening.