Security by Design: Shifting a Common Concern to the Left

Security is an evolutional process that should be implemented on time and improved continuously. A Security by Design mindset will protect customers and their assets.

The Challenges of a Modern Society built on Software

Due to rapid increases in dependency on everyday products, services and processes in the underlying software, secure software development is an ever-growing topic.

Any well-established company’s reputation can be damaged by the most basic malicious attacks at the drop of a hat. Security has become one of the top priorities in software delivery over the last few years and is not something that can be added, nor a product that can be bought, but rather an evolutional process that should be implemented on time and improved continuously.

Security is about mitigating risk

When an organisation ignores security issues, it will most likely expose itself to risk by making large amounts of sensitive data stored in business applications, vulnerable to being stolen or tampered with at any time by hackers.

Risk is the likelihood that a threat can exploit a vulnerability, this being a weakness or gap in a security program that provides unauthorised access to an asset. Assuming that every business depends on information, information systems can expose it to attacks by exploiting vulnerabilities that take advantage of or cause damage to an organisation or individual. Situations that inflict reputational damage on an organisation will ultimately result in far greater losses than the direct cost of the particular event.

Security shall be tacked by all professionals - from project managers to operators involved in the delivery and operational processes. Every stage is part of a Secure Software Development Lifecycle, from design to development, testing and operation.

Security issues can be detected just as any other defect. In terms of bug fixing costs, the later they’re detected in the software development lifecycle, the higher the cost for fixing them, so implementing an adequate testing strategy earlier in the development lifecycle saves effort, time and money to fix security issues.

Application Security

Application Security (AppSec) refers to processes delivering more secure and resilient solutions by detecting potential security vulnerabilities in advance, from the Design to Deployment phases, and resolving them adequately.

AppSec encompasses secure:

code created to implement web applications;
libraries;
back-end systems;
web and applicational servers.

Celfocus holistic approach to Application Security

Celfocus has a holistic approach to Appsec acting as an enabler and promoter of its clients’ Digital Trust.

Application delivery is much more than just coding, it’s a complex process involving different team member profiles: Product Owners, Project Managers, Analysts, Architects, Developers, Testers, DevOps and Security Analysts. These contributors’ work must be synced and aligned with Application Security best practices.

Processes: focuses on the supporting artefacts, solutions or policies related to secure software deployment, including the delivery platform that encompasses automatic security controls, the centralised solutions to monitor delivery quality and the policies that frame the approach to the delivery;
Practices: aims at providing teams with documented best practices to set high standards regarding secure software development through the establishment of guidelines and delivering suitable training to the general development stakeholders or specific project teams;
Culture: addresses the project teams’ awareness of application security topics, promoting knowledge-sharing communities for issues teams face and the most updated challenges in the application security arena, establishing a learning organisation.

Secure Software Development Lifecycle

Celfocus has a holistic view regarding software development in which security plays a fundamental role. Teams are trained to ensure Security by Design - as the most effective approach to prevent code vulnerabilities and influence the overall product strategy by shifting-left security controls.

Four macro processes can be easily educed to help clarify this flow:

Design Stage: where the solution is cooperatively designed by business analysts, solution designers & architects based on the identified requirements. Here, the security architecture is defined considering all the data flows and threat-modelling discussions;
Code: where developers are hands-on once the solutions’ design in mature. Having special plugins to alert them of possible vulnerabilities, however, peer reviews are also reinforced;
Testing: where quality teams execute automated security testing to detect security hotspots, halting its process if medium or high vulnerabilities are found. Third-party libraries should also be investigated for licensing & known security vulnerabilities;
Build: where the delivery to a hardened production environment is ensured with complete control of who has authorised deployment, moving the worked solution towards the finish line. The final security control is a penetration test executed by a third-party accredited team to detect anything missed during the entire delivery process.

Shift-left security means setting up security controls throughout all delivery stages:

Benefits

By acknowledging the importance of adopting a Security by Design mindset to protect customers and their assets, Celfocus approach to Application Security ensures that the following interconnected aspects are safeguarded:

Protecting Customer’s Confidentiality:
Fraud Prevention;
Assure Regulation Compliance;
Deliver Reliably;
Digital Trust.

Having these aspects under control allows organisations to avoid financial consequences, as well as losses in sales or fines, and maintain their reputation intact.