Читать книгу Do No Harm - Matthew Webster - Страница 33

Secure software development is arguably one of the more important controls in information security—especially if data is accessed through that software. If you have a poorly written application, it can mean the difference between securing the data and not securing the data. The challenge with software development is that there can be ten ways, all legitimate, of accomplishing the same control. In many other parts of information technology, there is a button to press and you are done. From a historical perspective, there are some cultural challenges.

Typically, developers use something called the software development lifecycle (SDLC). The SDLC includes methods of eliminating the various problems. These include peer review, unit testing, line testing, and a host of other techniques. What is missing from the SDLC processes of less mature organizations (from a security standpoint) is security. Depending on when and where you went to school, security may or may not have been a consideration. Oftentimes, it is up to organizations to train developers about security.

Training developers on security can be a little like herding cats. Doing it right means you have to have several things in place. First, you need a set of guidelines and security standards for the team to follow. Just right-sizing the amount of information to provide the developers can be a daunting task for organizations. Providing too much information means it will not be retained right away. Not providing enough means other challenges for the organizations.

Another aspect of a good coding environment is tooling. There are fantastic tools on the market that can detect problems before the product goes into production, and using them in the right way is one way to reduce the risks to the organization. However, the tools do have blind spots when it comes to human logic flaws. It is not something these kinds of applications are good at, and thus penetration tests are critical to the final product being secure. A penetration test is a process where both vulnerabilities and human logic flaws are discovered. While tools are used, there is a human aspect to the assessment process.

Sadly, not all companies have the time or resources to have a mature secure SDLC that includes all of the right tools being used in the right way. In cybersecurity there is a phrase called “Separation of Duties” (SoD). In this specific context, it is important to have some SoD between the software developers and the cybersecurity team signing off that the software is ready for production. If a software developer checks the software, they may or may not adhere to the requirements depending on the person or context. They may or may not ensure that what goes onto the market does meet FDA security requirements.

Software development has shifted considerably over the years. What is common now is an iterative approach to software development known as scrum. Many years ago, software was only created in versions. The first version was 1.0. Bug fixes could take it to 1.01. while minor revisions could take the software to 1.1. Larger revisions would go to 2.0. While versioning is still common and highly practiced, when it comes to the cloud aspects of development, an iterative model is much more common. Iterative means the product continually improves as part of the Software-as-a-Service. It is also a good business practice to ensure you continually evolve to meet the client's needs. The challenge here is for that development to be continually secure—assuming the software was secure to begin with. It takes time to perform the aforementioned penetration tests. Given that updates can now occur multiple times a day, it is a challenge for security to keep up.