Whether you move from an on-premise platform to a mobile device or a virtual cloud environment, security has always been the biggest concern. It’s no more shocking to hear about big banks, financial institutes, and large organizations shutting down their business or coming to a standstill due to an unexpected system crash, a security breach, or a virus attack.
Security outages are observed on all platforms. And it is becoming more and more challenging to detect and prevent such malicious intruders from getting into our complex multi-tier systems.
In the end, it’s the customer who pays the price for delays caused due to such mishaps, leaving them unhappy with an insecure, poor quality software system or service at their disposal.
And customers are left with no choice but to look out for a more secure and reliable solution.
Is your software secure enough?
Interestingly, when you ask customers the question, “Is your system secure?” in many cases the answer may come as a surprise “we don’t know”. At the same time if we pose the question “Do you really care about security?” the answer is always “off course we do”.
Unfortunately, I did not find any magical formula or silver bullet assuring that my software/system is 100% secured or bug free.
In this blog, I would like to share my experience around security standards and compliance.
After spending some time studying the various security issues logged in the last couple of years, it was easy to arrive with the following root causes for security failures:
- Lack of awareness on security and security standards
- Security requirements not defined or unclear
- Not enough communication between product and development teams
- Design errors which introduce security loop holes
- Bad programming practices or coding issues
- Missing security test plans/use cases
The approach I would take to certify my software/system as being free from security violations is to review and validate my system against the 6 causes of security failures. At the minimum, I would run through each of these points to understand if they apply to my situation.
Example: Lack of awareness on security and standards
Today very few developers in the organization understand the importance of security requirements or significance of security standards. Also they are unaware of the impact of leaving a security hole in the system. There are a few organizations/institutes like National Institute of Standards and Technology (NIST), Open Web Application Project (OWASP), Object Management Group (OMG), Consortium for IT Software Quality (CISQ) who have established ground rules and published standards for security compliance.
Similarly we can go through each of the items to understand more about its applicability and impact on our software system, and define a plan of action if required to fulfill the same.
Plan of Action
We can imagine a simple action plan as defined below for “Lack of Security/Standards Awareness” root cause.
- The management should initiate and run security awareness programs for all the teams within the organization.
- The management should organize trainings on security standards/requirements at the product management and development team level.
- Promote use of software tools in the development/maintenance process that help to detect security violations by checking source code.
There are various tools that offer static code analysis and/or dynamic code analysis. For example: CAST Application Intelligence Platform is one such tool which performs static analysis to covers all the top security requirements identified by various security standards/organizations such as OWASP, CWE, PCI and CISQ
Most of the causes mentioned in this blog around security failures are mainly linked to human errors and could be avoided by taking appropriate measures during the various phases of the software development or maintenance process.
In the next blog, I would like to dive into the security requirements/standards which one needs to be aware of. So stay tuned.
Feel free to leave any feedback in a comment below