The Most Overlooked Aspect Of Software Development — Security
Time to prioritise security before you develop your next application.
Introduction to Security
According to the Oxford Dictionary, security is defined as the protection against threats and dangers which might happen in the future. Similarly in software development, software security is the protection against potential malware attacks that might threaten the system’s confidentiality, integrity and availability.
Since security is an important issue, you may assume that it is common for software developers to address it before developing their applications. On the contrary, it is only considered during the Design phase of the Software Development Life Cycle (SDLC), which is one stage too late. Hence, the deployed application could possibly be unsecure.
Causes
1. Lack Of Consideration Of Security Among Software Engineers
Usability and performance are usually the top priorities of software engineers, and security-related tasks are carried out only at the Testing phase. Furthermore, some software engineers may not be equipped or trained in security. As such, security is not integrated into the developed application. By the time the application is released and used by the masses, implementing security features would be costly and difficult.
2. Cost Of Using Security Development Process
Integrating security into the development process may be costly to administer, especially in smaller companies. Using a security development process would generally entail an increased development time, as there are more components to consider on top of the current ones. In addition, if the software engineers are not equipped with the knowledge of cyber security, companies would need to hire additional security engineers. Hence, companies, especially those newly established ones, would not choose to prioritise security when developing applications.
Consequences
1. Confidentiality Of Data Compromised
In this ongoing COVID-19 pandemic, I believe that you must have used Zoom at least once, either for work or for studies. However, did you know that just last year when Zoom was gaining its popularity, hackers can actually execute cross-site request forgery (CSRF) to crack the 6-digit meeting password in just half an hour? Just imagine you are in a Zoom meeting with your friends and suddenly a stranger pops by to say hi.
This is an example of breach of confidentiality of data — where data is not protected from unauthorised users. Zoom could have simply set a limit to users retrying passwords or used better algorithms for the generation of unique passwords — they have now changed the passwords to be alphanumeric and hosts can change the passwords to increase complexity and uniqueness.
2. Availability Of System Compromised
Availability of system may also be compromised if security prevention measures are not put in place. On 28th February 2018, the largest Distributed Denial of Service (DDoS) attack happened to a platform which programmers may be familiar with, GitHub. This attack mainly floods a network with high malicious traffic volume that it cannot operate as it normally would and causes the website to crash.
This is an example of a system’s availability being compromised. Software applications should be readily available whenever users request for services. Fortunately for GitHub, they were able to recover from the attack quickly.
Solutions
In the past, there was a saying “Security through Obscurity” which means security can simply be achieved by not exposing an organisation’s security designs or implementations to outsiders. However, since 1851, many security experts have rejected this, saying that obscurity should not be the only security control.
“Security through Obscurity is NOT Security.”
1. Secure Software Development Life Cycle (SSDLC)
Companies are gradually adopting the approach of integrating security into their software development processes. This gives rise to SSDLC which involves writing security requirements together with functional requirements, and focusing on security issues. This is much cheaper and efficient as opposed to anticipating for the possibility of the deployed application being compromised.
As seen in the diagram above, the inner circle is the usual SDLC which we practice, while the outer circle represents the additional components we need to consider in SSDLC. Note that security is integrated into each phase of the original SDLC and it starts as early as in the Requirements phase.
2. Patch Outdated Systems
As technology advances, malwares and viruses are rapidly evolving too. As a result, outdated systems may be vulnerable to attackers as they might not be able to withstand up-to-date cyber attacks. It is highly likely that attackers already know the weaknesses of the systems and can exploit them to their advantages. Hence, regular patching can help to identify any potential vulnerabilities and be able to fix them in time. Software engineers can automate the process of patching to reduce costs and mitigate any security risks.
Conclusion
In conclusion, I have examined the possible challenges of implementing security features in the early stages of development, as well as the importance of it. Security is definitely a critical aspect to consider but to implement it also depends on the prevailing context.
If you have the resources, I strongly urge you to incorporate security in your development process before you start developing your next application. But remember — do not roll your own crypto!
