Software security breaches have created billions of dollars in cybersecurity¹, costs in the past five years. Breaches affect hundreds of millions of people, and software is running in more places than ever today.
Security is a concern in every software system. Why? Simply put, much of the software we use every day is not built with security in mind. Making today’s software secure is a conscious choice that requires effort and expertise.
This post examines software security, considering security testing and continuous security. We will introduce Tangram’s approach to creating secure software systems.
In the general sense, security is “the state of being free from danger or threat”. The security of software systems in particular is a vast topic.
Software security is the application of techniques that assess, mitigate, and protect software systems from vulnerabilities. These techniques ensure that software continues to function and are safe from attacks. Developing secure software involves considering security at every stage of the life cycle. The major goal is to identify flaws and defects as early as possible.
Software Security Techniques
Applying software security techniques to software development produces higher levels of quality² Safer software has correct and predictable behavior.
In his book Software Security: Building Security In, Gary McGraw provides seven best practices. This framework is a great introduction to securing your software.
- Code review using tools to find bugs, vulnerabilities, and weaknesses
- Architectural risk analysis to identify flaws
- Penetration testing
- Risk-based security testing
- Abuse cases to examine how a system behaves under attack
- Security requirements
- Security operations
Many techniques can be applied in this type of framework, such as:
- Defensive programming
- Secure coding
- Threat modeling (e.g., STRIDE)
- Understanding your attack surface
- Code auditing
- Application security (e.g., OWASP Top Ten)
- Defense in depth
DevSecOps is the deep integration of security into the DevOps approach. It enables security teams and developers to “shift left” by automating analysis of software security earlier and throughout the software development lifecycle.
DevSecOps introduces security to the DevOps practices used for developers and IT operations. Security controls are embedded in processes such as build pipelines and CI/CD workflows. These practices provide immediate feedback cycles. In this mindset, security is everyone’s responsibility.
Automated security testing and security analysis techniques are part of DevSecOps. These include Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST). SAST tools analyze the source code of an application before it compiles. DAST tools communicate with the running application to identify security vulnerabilities.
It is best practice to run security testing tools continuously. Traditional processes focus on security testing before a big release. The collective security mindset in the defense industry is shifting left. DevSecOps adoption is growing, enabling continuous security to become a reality.
The Tangram Approach to Security
Development of large software systems is revolutionized by microservices and CI/CD. Tangram builds on these advances to help deliver systems with security baked in. Our core principles are:
1. Connect: Integrate existing engineering tools for secure exchanges between teams;
2. Compose: Stitch components together with automatic generation of secure interfaces;
3. Assure: Apply full spectrum analysis with automated assurance workflows and evidence capture;
4. Deliver: Send validated code, architectures, and artifacts at each phase of development.
Tangram aids in building and delivering secure components. We support continuous security for software system development.
Software security will always be a paramount concern. Integrating security into development lifecycles³ catches security issues earlier and reduce risk. This is key to faster development of better software.
¹ Consider the statistics of software systems behaving incorrectly or unexpectedly.
² For more on assuring safe, secure, and correct software systems, see Safety and Speed: Have Your Code and Assure It, Too.
³ For a deeper reading on software security, a few good books are: Building Secure Software, a foundational guidebook for developers; 24 Deadly Sins of Software Security, a technical tactical reference; and Software Security, which covers the ideas from Building Secure Software put into practice.