Author: Todd Becker, PCI QSA, ISO 27001 Auditor
Secure development is not just for software companies and custom application development shops. Embracing secure development practices in IT and procurement functions within an organization ensures that reasonable and appropriate actions are exercised to achieve compliance to regulations and other security requirements. According to a 2013 Ponemon report, applications were compromised to gain access in 42% of malicious data breach incidents. Secure development practices could also provide a marketable differentiator for any company that takes customer payments or maintains confidential or personally identifiable information (PII).
What is secure app development?
It is the proactive and defensive development of web applications, intended to limit vulnerabilities. Strategy and methodology guidance for software security can be found in the OWASP Software Assurance Maturity Model (SAMM). Technical and operational support for this approach is provided by the OWASP Top 10 and the OWASP ASVS (Application Security Verification Standard). These guidelines provide best practices for establishing secure web solutions including understanding security requirements, designing misuse cases, educating business analysts, developers, and quality assurance personnel. In addition, it provides tools, methods, and techniques for the same groups and establishes guidance for working with internal audit and/or third parties to verify that the applications are being coded and operated securely.
Reducing the risk of exposure and loss of critical data assets is a challenge for all organizations. Substantial progress has been made to strengthen most perimeters, however, the internal and external applications and interfaces, custom and packaged, are the core weakness of many organizations.
Cybercrime continues to rise, increasing 42% over the previous 12 months. Targeted attacks of small businesses (<250 employees) almost doubled from 2011 to 2012. They exploit weaknesses in web applications and interfaces that provide the access required to execute substantial data breaches. Advanced Persistent Threats (APT) are sophisticated attacks that leverage multiple threat vectors over a period of time to accumulate significant volumes of confidential information.
|What is an APT? An APT is an Advanced Persistent Threat. The term was first coined by the US Airforce in 2006 to describe a state sponsored cyber threat when discussing with non-classified civilians and the general public. The targets of APT’s are typically defense, industrial bases, financial industry, manufacturing, and research firms. APT’s are relentless and well-funded. Their purpose can vary but generally falls into one of four categories: To harvest intellectual property, gain insights into critical activities, nation monitoring (spying), or a subtask of a larger nation objective. They are typically designed for the target in mind.|
Organizations that utilize commercial off-the-shelf (COTS) software could have security vulnerabilities related to those solutions and have a responsibility to ensure the software they are using has been subjected to secure development practices by the manufacturer.
Interfaces between systems are also a point of exposure. These interfaces, often developed in house or via a 3rd party implementer, are a critical link in the security chain and require due care.
From a liability standpoint, establishing due diligence in development and procurement processes will provide a layer of protection from legal and financial impacts, brand damage, and loss of competitive advantage as a result of a breach.
If the secure application development practices can be recognized from a risk management perspective, then the liabilities can be prioritized along with the organization’s other IT risks.
Implementing security into development and procurement functions can be a challenge. Organizations can and should incrementally integrate security best practices into development as they can reap the proportionate benefits. It does not need to be an all-or-nothing value proposition. Start with an awareness campaign at the business level. Understand the security requirements related to the data types and the related risk factors. From there, you can design the appropriate process, methods, controls, tools, and training to meet your organization’s objectives. The rewards are waiting for those willing to put in the effort.