For this week’s Discussion, we consider Application (Software) Development. Answer at least one of the following questions:
- During which phase should Information Security be included? How would you explain to someone that Information Security has a role without a finalized product yet?
- Choose one of the popular software development methodologies, such as Scrum, Agile, or Waterfall; how does the choice of the methodology affect Information Security concerns?
Rudraduttsinh says
Software security holes are the bugs that are unintentional aspects of a program that can be manipulated to break the likely function of the program and allow actions the users would disapprove of. There has been a lack of implementation of security principles in software development. One of the main reasons is that software development has always emphasized user-friendliness. Organizations are reluctant to invest in cybersecurity initiatives until forced to do so. The lack of cybersecurity initiatives is directly related to economics. For some organizations, a waterfall development model puts cybersecurity considerations into play during the design and testing phases, with limited opportunities to impact the software after deployment. In other places, adopting agile development methodologies involves security considerations at almost every step in the rapidly iterative coding cycle, with quick detection and correction of vulnerabilities emphasized.
Reference
N.A. (n.d.). Cybersecurity in the Software Development Lifecycle. Cybersecurity Education Guides. Retrieved from https://www.cybersecurityeducationguides.org/software-development/
Krish Damany says
Hi Rushi,
It seems we sacrifice convenience for security on a daily basis when it comes to technology. Many users don’t have a simple SMS based 2FA set up for their online accounts because it would “take too long” or is a “hassle”. So it doesn’t surprise me that developers would rather an app be user friendly than secure of exploits. That is, until they get exploited to a point where they have to retroactively secure and patch their software after the process.
Vanessa Marin says
It’s an outdated way of thinking for sure! Now organizations are taking SDLC seriously and have come to the realization that compliance, control and InfoSec is crucial to maintaining the trust of clients. Product Owners and Product Managers are much more involved in making their applications and processes more secure.
Amelia Safirstein says
In my experience, one of the most common reasons for setting software security on the back-burner is the race to market. This definitely ties into your point that lack of security in programming often relates to costs. Smaller companies especially have their eye on the “prize” of just getting a user-friendly product to market as soon as possible so that they can start making money or sell the company. Entrepreneurs don’t always see security as being economically friendly or they simply don’t have the resources to attain their goals while also implementing good security practices. Unfortunately for these small business owners, going back to add security later is often significantly more work than including it from the beginning.
Jerry Butler says
HI Rushi,
You have raised great insights, i agree with you about using Agile for software development. It’s a more collaborative tool which allows input from all parties before moving to next stage. However, i also think a combination of methodologies is ideal since there is no clear cut for a single methodology that fits all software development projects.
Vincent Piacentino says
Test – Hello World!!!
Vincent Piacentino says
During which phase should Information Security be included? How would you explain to someone that Information Security has a role without a finalized product yet?
In the Software Development Lifecycle, information security needs to be integrated from the “Requirements Gathering” phase to the “Release\Maintenance” phase. In the project planning, incorporating a “Security Plan” will make sure that no aspect of securing the software is overlooked. During the “Requirements Gathering” phase, some considerations for the “Security Plan” are:
• Security requirements
• Secure Coding
• Privacy Impact Rating (PIR) – P1(High), P2(Med), P3(Low)
• Security Risk assessment
• Privacy Risk Assessment
• Risk-level acceptance
Security plays a major role, and if not integrated into each phase, could potentially lead to an incident. Adding security then will be expensive lesson…
Krish Damany says
Hi Vincent,
I completely agree. Without having information security included in every phase, it could run the gamut of being very flawed at release. This would then have ramifications where nefarious actors could exploit the software right away, and then the developer would have to issue patches to stop and prevent future attacks, which would cost time and money in the long run.
Vincent Piacentino says
Hi Krish,
Right!? I would hope that a moderately mature and smart organization (or wishful thinking: all organizations large and small) would employ DevSecOps.
Doing without this approach is almost surely a disastrous incident waiting to happen. It seems like everyday we are learning of a new incident and it only gets worse from here…
Vanessa Marin says
I’d venture to say that InfoSec should be implemented before project start! 🙂 The design of the methodology should already have infosec measures embedded in. Prior to starting a project a policy should be in place that explains SDLC and the requirements to stay in compliance.
What do you think?
Amelia Safirstein says
Absolutely! Including that step would help ensure that security measures for each phase are not overlooked. Additionally, this would help to ensure consistency and documentation for any auditing of the software.
Eugene Angelo Tartaglione says
During which phase should Information Security be included? How would you explain to someone that Information Security has a role without a finalized product yet?
It is important to include information security during the third phase of the Information Security life cycle. “After assessing your network and obtaining more granular information about it, it’s important to protect your network by bringing systems up to speed with your previously established policy and standards. Essentially, it’s now time to protect your systems. This step of the information security lifecycle is sometimes referred to as the “mitigation” step, since the actual objective of the step is to mitigate all of the risks identified during the assessment period.” With this in mind it is important to identify the potential risks you may have and than try to see which ones it is most beneficial to mitigate. Some risks it may be cheaper to accept. That is a decision that should be made using something alonf the lines of a Cost / Benefit analysis.
Reference: https://plextrac.com/2020/07/29/the-information-security-lifecycle/
https://www.valasecure.com/blog/a-complete-guide-to-the-information-security-lifecycle
https://www.giac.org/paper/gsec/3018/security-lifecycle/105040
https://www.protectivesecurity.govt.nz/information-security/lifecycle/
https://searchsecurity.techtarget.com/tip/Steps-in-the-information-security-program-life-cycle
Krish Damany says
The information security lifecycle is comprised of a few steps: identify, assess, design, implement, protect, and monitor. In the software development cycle, these steps are very integral to have a secure application. So a good time to implement information security into this cycle would be from the beginning. Having information security as a thought while developing a piece of software will help mitigate flawed software right before release, or worse, patching it after a major release. In explaining to someone that this process is essential prior to release could be difficult. The person in charge could have a specific deadline in mind for the project and implementing a robust information security process could jeopardize that. In convincing them, I would explain that spending a little extra time and money before release will save major amounts of time and money in the long run, as fewer patches to vulnerabilities will need to be implemented, and possibly the risk of exploitation of 0days would be mitigated should information security be included from the start.
https://blog.box.com/information-security-lifecycle
Vanessa Marin says
Agile software development is probably the most widely used methodology in organizations today. It has a collaborative focus by which requirements and solution evolve amongst cross-functional teams. The delivery is continuous and allot for changes to be dynamically implemented during the product life cycle. Security is integrated in Agile software development. there are several ways by which this can be accomplished within the agile process:
Robust and complete user stories that are non-functional requirements. These are requirements that are related to the state of a system rather than functional areas of the system. These guide team planning and development. Another aspect is that security testing takes place throughout the development rather than at the end.
Specific steps to take are to implement security scans and fixes take place during the QA process. Stakeholders can also attempt to break the system’s security during demo and product review. Implementation of OWASP proactive controls which could reduce the unpredictability and unforeseen bugs. The retrospectives help teams review their work and improve it where necessary. Static code analysis tools can also integrate with development tools to mitigate risks. An automated pipeline check will also help check libraries that need to be updates.
Security is critical irrespective of which methodology and having it at every stage of development is critical to any implementation.
https://www.bridge-global.com/blog/6-essential-steps-to-integrate-security-in-agile-software-development/
Amelia Safirstein says
Great points! It’s imperative that teams include security and testing throughout all “rounds” of development in Agile. The frequent communication, re-evaluation, and testing in Agile development should allow for well thought out and strongly reviewed security.
Amelia Safirstein says
Information Security should be included in all phases of software development. These phases include Requirements Gathering, Design, Development, Testing, and Operations and Maintenance. During the Requirements Gathering phase, security requirements should be established, a security risk assessment should be completed, a privacy risk assessment should be completed, and the risk-level acceptance should be evaluated. In the Design phase, the attack surface should be analyzed and threat modeling should be built and reviewed. In the Development phase, programmers should use computer-aided software engineering tools to help catch errors. They should pay special attention to input validation in their code to avoid attacks like buffer overflows. During the Testing phase, a group that was not involved in the development phase should run security and penetration tests. Finally, in the Operations and Maintenance phase, programmers may have to add new features where they should follow the same security practices listed under the Development phase. In the Operations and Maintenance phase, they will also have to address new vulnerabilities with patches.
Mei X Wang says
Hi Amy,
Great post! I agree with all your points as well, security should be included in all phases of software development. It’s especially important to include security as an ongoing maintenance process. The attack surface can change from time to time so continuous monitoring and patching are essential to keep yourself protected long term. Just because our system is secure after deployment, it doesn’t mean there aren’t any vulnerabilities just waiting to be discovered.
Jerry Butler says
Broadly speaking, there is no silver bullet model that can be a perfect match for software development, many times a combination of two would produce great results. However, I think the Agile model is ideal for software development in my opinion. Agile dwells on Collaboration and visibility to provide a richer and more rewarding experience for teams to develop great software products. It’s important to note that Security should be involved from the start and Agile methodology strives on collaboration and feedback before moving to the next stage and this is an Important aspect in involving security at every stage. Below are the phases of Agile methodology
1) Agile; Define Determine what work will be done in the current iteration
2) Design; Plan how to build the requirements into a product
3) Build; Make the design a reality
4) Test; Verify the product functions as designed
5) Release; Give the product to the customer
Mei X Wang says
The information security phase should be included in the early requirements stage of software development. It’s easier to incorporate security principles in a product as it is being designed, as the bare bones are being sculpted. DevOps/DevSecOps can work on including code review tools and automation to check the security product as it’s being developed. Once a product is completed or has granular features, it becomes increasingly difficult to add security countermeasures to each individual function. Security should be considered in the requirements stage and included in the design of the product.
We can explain to users the importance of information security without the finished product by working backward and showing the vulnerabilities if the product didn’t include features such as input validation. Malicious actors would be able to inject bad code or overload our system if security requirements such as input validation aren’t used. Security may seem dispensable if we are unaware of the impacts they may cause, by bringing the worst-case scenarios and industry news, the development team/senior management can realize the importance and adverse impacts if security isn’t present.