Building Security into the Development Process

Every year, about $9.1 billion in potential online sales revenue is lost—all because shoppers are afraid of buying online, according to FirstData. While this figure may be upsetting for owners of ecommerce portals or other online businesses, what’s more distressing is that so many consumers are fearful that their personal or financial information is at-risk for online theft, fraud and data breaches. And they have every right to feel that way.

Each year, more and more organizations, large and small, fall prey to cyberattacks and data fraud. The number of data breaches reported in the U.S. continue to rise: from 2012 to 2014, data breaches increased from 447 annual occurrences to 783, and the trend will continue. With so many companies suffering massive data breaches impacting millions of consumers, modern enterprises require a comprehensive approach to data protection and security.

Make Security Integral, Not an Afterthought

Whether it’s a simple app designed for a local start-up or a mega-project for a large corporation—a product, app or system usually goes through a specific development cycle (SDLC = Software Development Life Cycle), which includes design, coding, testing and deployment. However, a major miss in this process is that it typically considers security at the end of development. It is imperative that companies instead switch to S-SDLC (Secure Software Development Life Cycle), which closely incorporates security and involves security assessment at every phase of software development.

Instead of the usual cycle of testing-patching-retesting that runs into multiple iterations, the S-SDLC process addresses security issues very early in the development cycle—saving time and money. Organizations can follow the simple steps outlined below to ensure that their critical data is never susceptible to hackers and can be recovered during any disaster.

Onboarding Security Team from Day One: Instead of having the routine, one-time security check before going live, development teams must ensure that they have software security experts who can analyze the threat perception at every level and suggest necessary security patches that must be done early in the development cycle.

Think like a Hacker: “To combat a hacker, you need to think like a hacker,” which is why ethical hacking techniques and security assessment measures like ‘penetrative testing’ become so critical. Penetration testing, or pen testing, consists of an authorized simulated attack on a computer system that looks for security weaknesses, potentially gaining access to the system’s features and data. The process typically identifies the target systems and a particular goal – then reviews available information and undertakes various means to attain the goal. Pen testing involves conducting physical security assessments of servers, systems and network devices, probing for vulnerabilities in web and thin/fat client applications to pinpoint methods that attackers could use to exploit weaknesses and logic flaws. Depending upon the scope of the project, organizations can choose between Black Box, White Box or Grey Box Penetration testing. The result of conducting such testing can be discussed with IT teams as well as management to finalize the necessary measures required to plug the security flaws.

Dedicated Time Slot for Security Analysis: The typical product development cycle is a frantic rush of deadlines, and project managers may often become hard-pressed to spare time for security checks, opening up the opportunity for error. While meeting deadlines is a must, it is important to follow adequate security measures, especially as the project increases in scope and complexity.

Spending on Security is Worth It: Security teams are often charged by project managers or top management executives for adding to project costs in their bid to buy special security software or solutions. While it indeed adds to the spiralling cost, the true value-add of these solutions makes onboarding worthwhile. It is only then that the circle is complete and the idea of involving security experts in the project truly works. Restricting their role to mere security reviews is a half-hearted measure with inadequate results.

While software security assessment is still considered a time-consuming exercise, organizations must try to create seamless channels that will enable faster assessment and swift deployment of security measures.

Krish Kupathil is the founder and CEO of Mobiliya, which provides device-to-cloud software engineering and system integration services with specialization in Internet-of-Things, enterprise software, augmented reality, embedded systems, security and automotive. With a track record of over 25 years in building and growing companies and new markets, he has carried out strategic exits, pioneered enterprise mobility, cross-OS communication and collaboration services. 

Image Credit: La1n/Shutterstock.com

Post a Comment

Your email address will not be published.