Security-first Mindset in Product Engineering
We are increasingly dependent on software applications to run our daily lives, whether it’s personal banking, accessing government services, controlling the heating system in our homes or running our relationships. The impact of any related breaches of security ranges from the inconvenience to positive damage. As a result, product teams — be it in the beginning, corporate organizations or vendor organizations — have a great responsibility to ensure that these software applications are secure throughout their lifetime and remain secure.
In addition, product teams are facing this particular challenge against a backdrop of increasing complexity and speed in the form of delivering reduced time to market and featuring more rich interactive user experiences, within a dynamic environment in terms of tools and techniques and deploying into an ever-changing infrastructure dominated by the World Wide Web. As a result, we need to follow a security-first approach to ensure the software applications we’ve become so reliant on, are safe and stay safe over their lifetime.
A security-first approach means putting everything at the front, right, left, and center of security, and it encompasses a mindset, skills, methods, and organizational design. Individually, at all stages, we need to grasp what this means at the level of work performers. It could be a user interface (UI) designer contemplating a feature ‘s security consequences, a developer applying the least user authentication authority principle, a SQL developer developing a minimal query on a dataset, or an architect working on a strategic product vision. The security-first mentality does not constrain us, on the contrary we should be liberated. It should not first be a trade-off between usability and security for a UI designer but an opportunity to find complimentary solutions such as biometric recognition.
We need to move beyond DevOps to a DevSecOps model, where we integrate protection into the conventional DevOps method that allows for test automation, continuous integration and deployment.
We should endeavor to remove silos wherever possible, particularly with reference to the security department or groups that have to move beyond the compliance model, to support the rest of the organization in reaching a security-first perspective through training, awareness and ongoing vigilance. We need to switch from a general sense of weakness in the framework to a precise real-time evaluation of the vulnerabilities in our framework.
We should look for ways in which we can move away from multidisciplinary teams of people from various disciplines working together, using a true combination of solutions, each building on their disciplinary experience to interdisciplinary teams of people combining expertise and practices from different disciplines.
We must put aside the abstract reasons and accept that 84 per cent of security breaches are inextricably connected as a result of social engineering and privacy and protection. We need to spend time in updating people’s knowledge of the current trends and risks. We need to be aware of new vulnerabilities such as Differential Privacy, a big data product, and its associated techniques which ensure that large data sets can be queried without compromising the privacy of an individual. That is, we need to allocate time for people to assimilate new tools and patterns, and to understand where to apply them in the first context of security.
We need to step away from the conventional process of product growth, with the consequences of deploying and moving products to a Business As Normal (BAU) support team doing occasional updates and bug fixing.
Commercial sponsors must adopt mature Total Cost of Ownership (TCO) models that tackle a product ‘s overall lifespan without factoring in the risk of a security breach. Product teams are under tremendous pressure to develop safe and stable applications during their lifespan, but this challenge can be met if we follow a first approach to security.
Here Are 3 Ways Product Engineering Teams Can Have Better Security Management
Since moving away from the waterfall method, engineering teams now have a mandate to look at safety from functionality, performance and other parameters in the same light and sustained frequency. It can lead to better and more secure product delivery by equipping them with the right tools and processes. Here are three key ways to empower engineering teams with certain skills and strategies that enhance self-sustaining application protection.
LEVERAGE CONTINUOUS INTEGRATION (CI)
The amount of time, cost, and hassle of remedying vulnerability increases as the release date of the product gets closer and worse during the production phase. Barry Bohem’s finding and fixing a bug after delivery is 100 times more expensive than during the design phase according to the Software Defect Reduction Top 10 List. One solution to minimize these factors is to shift some aspects of security testing to the left (as in the upstream versus development). You can do that by empowering the engineering teams with skills and resources that allow them to do certain security checks as part of their business-as – usual-jobs.
One of the most practical and scalable ways to do this is to use your continuous integration services like Jenkins or TravisCI to leverage. For example, most engineering teams use Secure Code Analysis (SAST) platforms to perform security code inspections. SAST plugging through CI as part of the routine cron-jobs of the application is very valuable in uncovering potential vulnerabilities right within development. This can also be extended to the platforms for run time security (DAST). These tests can be executed using specific scan policies focusing on critical or segmented application parts. For example, lightweight scan policies (smoke / sanity) can be configured to run on nightly builds as more aggressive scan policies for weekly builds can be scheduled.
USING SECURITY ‘EXPLOITS as CODE’
According to the WhiteHat Application Security Statistics Report, fixing DAST vulnerabilities takes an average of 174 days, and fixing SAST vulnerabilities by 113 days. In most cases, a significant amount of a developer’s time is spent on recreating security exploits (during security remediation). Usually, critical features found through manual pen-testing are sent to the engineering team via manual PDF reports for remediation with limited information specifically about the “WHATs” rather than the “HOWs.”
When these exploits are written as “exploit automation scripts” (using frameworks such as selenium) development teams can reconstruct scenarios and understand the vulnerability ‘s dynamics better. These scripts can also be used to validate fixes, thus creating a regression of sorts for security test cases and can be executed against any build to validate remediations and resurfacing of vulnerabilities previously set. Not only does this increase efficiency to fix critical bugs, but it also minimizes back-and-forth interactions between teams to validate these exploits.
INCREASE VISIBILITY OF VULNERABILITIES WITHIN THE PIPE
Automating the process of vulnerability logging is important in submitting the required information at the right time. The time taken to reach the developer that automation for a critical vulnerability, as opposed to manual means, makes a lot of difference-particularly in agile environments. By having security bugs inside the defect-tracking ecosystem automatically, you can effectively the back-and-forth between teams. Not only does this save time by eliminating needless clerical activity, it also shines the requisite light on security bugs with the same severity as practical bugs. Additionally, the integration of tickets into bug tracking platforms gives a higher visibility of the security landscape to product management team.
The depth of knowledge gives engineers the knowledge required to address the bugs efficiently, thus removing the needless information (noise) that normally comes with it. Necessary information includes details such as where and how the bug was found but should be devoid of redundant / rhetorical “noise,” such as met-data normally provided by DAST / SAST platforms. This eliminates the need to dig through data for engineers to find the right information, thereby saving time and increasing efficiency.
Product Engineering is one of our fortes at Goavega. We help organizations in assessing security risk and vulnerabilities, implement solutions to safeguard business and also conduct security awareness program. To know more about our security offering please contact us Read more about us
Sorry, the comment form is closed at this time.