THE FIRST PHASE OF THE SECURE SDLC IS THE TRAINING PHASE
Despite the evolution and use of more sophisticated cybersecurity controls and tools to ensure data security in modern corporations, cyber-attacks are becoming more commonplace and are causing massive damage worldwide.
While the average cost of a data breach soars into the millions, reports indicate that 88 percent of companies have had a data breach.
In addition to this, while a large number of vulnerabilities are found within the network layer of corporations - resulting in executive decisions to harden network infrastructures - nearly 70 percent of high-risk vulnerabilities are found at the top portion of the network stack - the application layer.
Unfortunately, only a small percentage of developers have any role in testing applications for security, which - with the division between developers and security engineers - often results in insecure applications.
The weakest link of all cybersecurity breaches, exploits, and major issues lies with end-users and developers - people. The security knowledge of the developer and how the software is developed plays a major role in how secure applications will be before end-users come into the picture.
Research into corporate infrastructures has shown that developers often create security issues instead of mitigating them (while executives often don't offer security training).
Thus the burden of responsibility falls upon software engineers to develop secure applications that do not contain security vulnerabilities.
At the development level, training is the first step in establishing a satisfactory overall Secure Software Development Life Cycle (SSDLC), as it begins with educating the engineers who will be building the architecture and developing the applications.
The training should not stop with the developers themselves - as many SDLC models seek to increase collaboration and integration with development teams, it is important for all members associated with a software project to receive thorough security training to ensure that security is a core concern at every step of the SDLC.
Thus, while developers, QA testers, executives, project managers, and operations administrators, etc. may all have different roles, when each one has been trained in cybersecurity the security of applications will go from being a distant, back-seat objective to a core objective, resulting in secure applications that save money.
This can result in more informed decisions at the executive level, as the post-production security of the application and the hostile environment associated with a deployed application will be better understood, and threats can be better mitigated.
Security training of all personnel will also help to make cybersecurity more prominent during discussion, planning, and board meetings.
Currently more than seventy percent of developers admit that security is not discussed during SDLC planning discussions, and a minute amount discussion time was devoted to security topics within major sectors of the software industry.
Cybersecurity training will help to disseminate security concepts that can ensure that all employees working on projects are included during security discussions, and helps to reinforce cybersecurity knowledge & terminology that pertains to such discussions.
CORE SECURITY TRAINING FOR BUILDING SOFTWARE THAT IS SECURE
As software engineering is a discipline that is always evolving, teaching security engineering concepts is a valuable next step for talented team members that have a drive to learn and a passion to produce applications that perform well and are also secure. Interestingly, approximately 80 percent of cyber-attacks carried out on major corporations can be easily avoided, since many of such attacks are carried out by so-called "script kiddies" who use automated tools without much knowledge of actual hacking.
Generally, they simply probe different IT systems and attempt to scan for vulnerabilities to invade any system that they can access. Thus, basic security training for your employees can help to mitigate 80 percent of potential cyber-attacks on your company. Security training can be broken up into three phases, as follows:
Security Aware: Becoming security-aware is a necessary pre-requisite for adopting correct, security best practices during SDLC phases. It is thus necessary for all project team members to complete basic security training modules, which should always include network security, cryptography, and application security.
In addition to this, more specific topics such as social engineering, phishing, secure coding, and basic hacking methodologies should be taught, along with different secure SDLC models. A comprehensive teaching of the OWASP Top 10 is also mandatory, and obtaining the Security+ certification is also helpful.
Security Skilled: After establishing basic security knowledge, your development personnel can take more advanced security training (e.g. secure coding, CISSP certification) and engage in hands-on exercises, such as Capture the Flag (CTF), Attack-Defense, or gamified security challenges such as Jeopardy style security trivia games.
Security Champion: The last level in security training encompasses learning advanced secure coding methodologies in relation to corporate platforms and frameworks.
A very important step that will help to assess the security training of employee, is giving them the responsibility of conducting security scans, security audits, and code reviews for other software engineers.
Some advanced-level responsibilities can also include teaching other engineers security best practices - via blogs, internal corporate wiki posts, group discussions, etc. - and organizing the security competitions or gamified cyber-challenges for the security aware and security skilled developers.
UNDERSTANDING THE OWASP TOP 10 AND THE CWE 25 ERRORS IS CRUCIAL
The OWASP Top 10 is a list of the ten most critical web security risks that every web application software engineer should be aware of, while the CWE 25 Errors offers insights into the 25 most critical software development security errors that are commonly found in applications. The OWASP Top 10 includes processes for integrating SSDLC strategies into classical SDLC models, and encompasses some noteworthy security issues:
- Injection (e.g. SQLi)
- Cross-Site request forgery (CSRF)
- Cross-Site Scripting (XSS)
- Lack of efficient Transport Layer protection
The OWASP Application Security Verification Standard (ASVS) is also important for engineers to be acquainted with, as the ASVS aids in secure application development and testing.
Educating personnel on such cybersecurity training materials also assists with achieving regulatory, legal compliance, i.e. PCI DSS (which necessitates annual training in secure application development and makes addressing the OWASP Top 10 risks mandatory), Sarbanes-Oxley, Graham Leach Bliley, and other regulations.
TRAINING IN SECURE SOFTWARE DEVELOPMENT ALSO BREAKS DOWN TO SPECIALIZATIONS
Becoming an advanced-level "security champion" requires gaining an intimate knowledge of not only basic secure software development methodologies, but also of more advanced concepts and tools associated with developmental specializations.
Having in-depth knowledge of the different application frameworks - and how to develop efficiently and securely with them - is an integral step, as each framework offers different features, functions, and security protections that must be fully researched and their use well documented in order to be efficiently used by your engineering teams.
To make the best use of such frameworks, secure default parameters should be built into project templates for distribution to the rest of the engineering teams to maximize cybersecurity efficiency. In addition to this, centralized libraries - for validation, encoding, authentication, authorization, etc. - should be created and distributed to engineering teams for use.
This will increase the productivity and efficiency of software engineering teams regarding the secure coding of applications.
DEPENDING ON THE SOFTWARE YOU ARE WORKING ON YOU MAY NEED SPECIFIC TRAINING IN THIS PHASE
There are several different development frameworks that software engineers routinely use today. It is necessary to apply SSLDC methodologies to the development of software using such frameworks. Specialized security training may thus be required to efficiently make use of secure coding and SSDLC strategies in conjunction with such frameworks.
Since frameworks are very different from one another, their features differ substantially. It is mandatory to have in-depth knowledge of the different frameworks available today, such as Spring Security, NodeJS, AngularJS, .NET MVC, and Amazon Web Services (AWS), etc.
Combining Secure SDLC strategies with today's popular and powerful development frameworks will help to produce efficient, powerful, secure applications that will perform optimally without critical vulnerabilities.