‍

Recent cybersecurity breaches have prompted organisations to reevaluate their cybersecurity posture, leading to a shift from the traditional "Secure-by-Test" approach to a more proactive "Secure-by-Design" approach. However, managers and developers often struggle with how to practically incorporate secure-by-design principles into their software development methodology without impeding development teams.

While each organization may have its own unique processes, here are a few guidelines to help adopt a secure-by-design approach within your development teams:

1. Familiarize yourself with your organization's IT security policies.

Many managers and developers are unaware of the security policies governing software development, access management, data protection, security operations, and new vendor assessment within their organization. It is essential to understand these policies to establish a secure framework for software development.

2. Understand the classification of data used in applications.

It is crucial to be aware of the type of data accessed, modified, and stored in your application. Refer to your organization's data classification framework to determine the classification of that data which will dictate the appropriate security controls to implement in the application.

3. Develop and communicate a threat model for the application.

Engage with an IT security specialist within your organization to create a threat model for the application. A threat model provides a structured approach to identify, quantify, and address security risks associated with the application. Various threat model methodologies, such as STRIDE, MITRE, and PASTA, are available for reference.

Typically, the process involves identifying the main entities and processes in the software architecture, creating a data flow diagram to delineate trust boundaries and data storage locations, identifying users/actors and their interaction scenarios, and assessing threats to the application. Address the identified threats using appropriate risk mitigation strategies based on your organization's risk appetite. It is essential to communicate the application's risks to relevant stakeholders in the business and technology areas.

4. Implement security controls for identified threats.

Once you have reached an agreement with the business owners on the budget and mitigation strategy for specific threats, design and implement security controls accordingly. Collaboration with other security teams or functions may be necessary. Modify the solution design to accommodate recommended best practices from IT security specialists or to mitigate risks. Any remaining risks should be accepted by the business owners, documented in a risk register, and periodically reviewed by IT security.

5. Conduct security testing of the application.

In addition to regular application testing, it is vital to perform Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), and Penetration Testing.

SAST involves scanning and analyzing static code, configuration files, and other artifacts to identify potential security vulnerabilities. DAST involves analyzing the code during execution to simulate real-world attack scenarios and uncover a different set of vulnerabilities. Penetration Testing, typically done in-house or by hiring third-party experts, aims to simulate the actions of a malicious hacker and identify vulnerabilities that SAST and DAST might miss (e.g., DDOS attacks, Cross-site scripting). Lastly, create an action plan to address the identified vulnerabilities.

6. Monitor the application after deployment.

All applications should generate logs to facilitate debugging of potential errors or malicious events. The specific events to log depend on the application's requirements. It is advisable to log authentication events, access control failures, potential errors, access to sensitive data, and input validation failures with detailed timestamps. However, sensitive information such as personally identifiable information (PII), sensitive session identifiers, and passwords should never be logged.

7. Monitor the production environment.

Keep software dependencies, frameworks, and libraries up to date. Regularly apply security updates and patches to address known vulnerabilities in these dependencies. Ensure the application is securely configured for deployment, review access controls, key management, and encryption practices. Additionally, establish and maintain business continuity and disaster recovery plans, while identifying the appropriate operational support staff for addressing any issues.

Conclusion

While securing applications is a vast topic, simplicity is key. By understanding the organization's overall vision, risk appetite, and employing straightforward methods, tools, and trained staff, you can achieve a truly "Secure-by-Design" approach.

‍