Cyber security: why it shouldn’t be an add-on
In the tech world the standard approach is to develop first, and protect later — here’s why that model is both wrong and dangerous.
In this era of cyber attacks and ransomware, security is on everyone’s mind. We tend to rely on platforms, frameworks, and cloud-providers to ensure the security of our information, but can we really trust these solutions?
At Proekspert, we always say that putting a powerful lock on a paper door won’t make a cardboard house secure. Indeed, this is the perfect metaphor to describe the approach widely used today. Perhaps it is high time we reinvent our approach to cyber security.
When it comes to security, countless companies will try to sell you a one-fits-all solution. Their offer might be security as a service, high quality penetration testing, or log-analysis for finding outlying incidents and anomalies. While they may seem compelling on paper, none of these solutions actually work in the real world, because, at the end of the day, security really comes down to people, behavior, and the processes and standards you have in place. Different kinds of software can help and assist you in ensuring the security of your data, but they will never do the work for you.
The way in which many companies, in a variety of spheres, implement security is not perfect either. Considering how quickly circumstances change in the world today, it is understandable that no one ever seems to have the time to document, plan, or consider theoretical security aspects if features are not ready, and the MVP is not delivered. For the most part, security and privacy requirements are left out from the MVP. Only when design and development are complete do we consider talking to the security team, and ask for their final sign off.
An approach of this kind is fundamentally flawed: we build a house with a paper door, and when the product is almost finished — it’s launch date due — we ask the security team to put their best, most secure lock on that paper door, leaving no time for a deeper analysis. What’s more, in that final phase, any fundamental change would delay the project and be extremely costly.
This does not mean that different tools, services, or penetration tests are meaningless — no. They can certainly help, but there is a lot more you can do, many more measures you, as a company, should take.
Perhaps you are wondering, what exactly would be a better approach? Unfortunately, there are no foolproof answers. But having extensive expertise in this field, Proekspert can provide at least the beginnings of a comprehensive solution.
Above all else, we would advise an approach wherein security and privacy are planned and designed for — not dealt with as an afterthought, or the final stage of development. What does security by design look like? Well, first of all it means on-boarding security analysts as early as possible with projects, even if a project is still in its whiteboard-drawing phase. When security is factored in so early on, changes and preventive measures are easy to make, and way more cost effective.
Software should also be designed with security in mind. You will never be able to eliminate all bugs before a release, but you can try to avoid as many errors as possible before the final version goes out, and penetration testing begins. During the development process it is best to practice threat modelling (more on this in our next article), and to identify weaknesses and attack vectors in a systematic way. In this way you can prepare for the worst, and develop solutions into your product.
In case your company has not yet implemented any kind of a Security Development Lifecycle, we would recommend that you start by experimenting with the Microsoft model, and then adjust it to your company’s needs.
https://www.microsoft.com/en-us/sdl/default.aspx?SearchType=2 and
But if you are eager to take a look at other best practices on how to create a custom SDL, we would suggest that you also take a check out: https://www.owasp.org/index.php/Secure_SDLC_Cheat_Sheet and https://s3.amazonaws.com/ahoy-assets.twilio.com/Whitepapers/Twilio_Whitepaper_Security-Architecture.pdf
After implementing a suitable SDL, and integrating security analysis within earlier stages of your design process, there are still quite a few measures you can take to ensure security. Here are a just a couple:
- Train your developers regularly to ensure that the majority have a comprehensive understanding of the most common attacks, defence mechanisms etc. This may be time consuming, but as long as attacks are changing, so must protection mechanisms, and it is important that your team be on top of the latest trends.
- Make sure you have a dedicated security team who can assist design and architecture, conduct penetration testing, give general advice, and work on research that will help product teams deliver secure software.
- Try to implement a plan that will ensure that protection is ultimately cheaper than any potential loss might be. Create a system where some services can be taken down in case of critical incidents, without causing any disruption to business. At the same time, mission critical systems need to have the best possible security you can implement.
When it comes to software, there are no foolproof solutions, no 100% guarantees against hacking. Critical bugs are bound to come around, and they may not even happen in your code, but in library or service code that you are using. It is simply impossible to mitigate everything, and that is why you need to consider these risks in your threat model, acknowledge them, and prepare for their eventual occurrence — no matter how unlikely.
At the end of the day, it’s all about assessing and managing risk. If you ignore potential problems, and then one day they begin to flare up, you might discover that you are totally unprepared: you don’t have logs, you don’t have abuse-detection mechanisms, and you don’t have any protocols implemented for identifying an attack and analyzing it properly. That’s exactly the kind of situation all companies should try to avoid. Security takes time and effort, but it is always worth it in the end.
If you would like to ask some advice about your digital products security, contact us.
