In a recent article, we started exploring the importance of secure development for the cybersecurity industry. This issue has been in the focus of security certification body ISC2 with their new CSSLP (Certified Secure Software Lifecycle Professional) certification. Our author Tom Madsen further explores this topic and why secure development is of utmost importance.
This article is inspired by a recent project by ISC2, to promote their software security certification CSSLP. During the autumn ISC2 will release a book with stories from those of us with the CSSLP certification on our resumes and arguments for why this certification is relevant in today’s cyber security landscape. I am part of the book just mentioned and writing my own contribution to the book, inspired this article on software security in the development process. Software security in this context is not focused on patching and configuration, but strictly on the processes involved in the programming and design of the program. There are many, many other things involved in a programming project, I know, but the core fundamentals of a secure program begin with the design and programming of the product!
We have been designing programs for many years now, with a focus on the various data structures inside the program, and on the UI of the program. Security was relegated to how to log onto the system and possibly what kinds of rights the end users could get on the software system. Those are important considerations yes, but in todays complex world of cyber threats they cannot stand alone in protecting an application and its data. The security designed into an application must be a reflection on the importance of the application to the organization that has commissioned it for development and the data that the application is designed to handle eventually. A few of the points that should be part of the design phase of a new programming project are:
- Data – what kinds of data will this application be dealing with?
- Minimize the complexity of the solution
- What other kinds of other programs/systems must the application interact with?
- Who needs to access the application?
If you search on the Internet for secure application design points, you will find many different kinds of lists, with between 7- 9 points. They are all valid lists, make no mistake there, but during the design and architecture process the above points will be of the utmost importance for the security of the final application.
Rarely, if ever, is an attacker interested in the application by itself. It is always the data behind the application that is of interest to an attacker, weather it is for encryption or just plain exfiltration of the data, it is the data that has value, for both an attacker and the organization! Depending on the type of data, there will be compliance or regulations to take into account when designing the application. Should the data be encrypted while at rest, what about in transit? All important considerations that must be part of the development of the new application.
Any complex system is difficult to secure! If the application can be designed with a minimum of complexity built into both the code and the architecture, then securing the final product becomes a much easier job. On top of that, the integration of the application into the existing infrastructure in a secure manner becomes much less of an exercise in frustration for staff responsible for implementation. Unfortunately, current development efforts, as I see them in the public sector in Denmark, everything but the kitchen sink gets thrown into the mix in new development projects, adding significant complexity in in the project. Aside from the cost overruns, the complexity makes securing such projects a challenge.
No software system ever stands alone in the infrastructure, there are always some form of integration with external systems involved in the development. Depending on the age of any legacy systems that the new application needs to integrate with, such integrations can present significant obstacles to the overall security of the application. I have clients that are still using the old AS-400 system from IBM in their infrastructure, just to make a point here.
Access to the application and its data is, and will always be, an important consideration in new application development. There are plenty of authentication systems you can use, the most prevalent now is Azure AD. Which authentication framework you use should be secondary to reflections on the level of access is required to the data the application is working with. Remember, the application is of almost no interest to an attacker, it is the data behind the application that provides value to both us and the potential attacker. Use on of the already existing frameworks for authentication, do not develop your own! It is highly unlikely that any of us will be able to develop a secure authentication system by ourselves and the ones that already exist, have been used by so many projects that they have been tested extensively in the wild, making them much more secure as a result.
Okay, we now have a design that is taking security into account. Now we will have to begin the actual programming of the new application. Secure programming covers a lot of moving parts, making the effort a somewhat extensive one for any programmer. Fortunately, there are methods that we can lean against in our efforts. The one most people know about, but few ever implement, is the Microsoft Secure Development Lifecycle. If any of your programming projects are Microsoft based, then this methodology is the way to go. Even if the project is not Microsoft based, this method will offer advice and steps that can help in your efforts! You can find more information and implementation help here:
The other one I would like to recommend is BSIMM. BSIMM stands for Building Security in Maturity Model. VMWare is using this model in the development of their hypervisors for instance. BSIMM is a model aimed at development organizations of a significant security maturity, as the name suggests. You be made with can read more about BSIMM here:
Both of these frameworks/methodologies are from the early 2000’s and they both offer help and advice on areas like processes, procedures and programming. Which one to use, depends on the kinds of application you are developing, for VMWare using BSIMM for an application as critical as their hypervisor makes complete sense, but many applications can be made with smaller frameworks, like for instance Microsoft’s SDL. The important part in any new programming effort is to think in security from the get go and to make sure that the actual programming is done in a manner that reflects on these security needs!
Tom Madsen has been active in the cybersecurity industry for more than 20 years. Tom graduated from the University of Aalborg and covered several technical roles in security during his professional career. He is certified as CISSP, CISA, CISM, CGEIT, CRISK, CCSP, CDSPE and CSSLP, and has published the book "The Art of War for Cybersecurity". He is currently writing a book 'Security Architecture - How & Why'.