There are two types of organisations – the ones that pay appropriate attention to and focus on cyber security, and the ones that will.
Investing in cyber security is like buying yourself a life insurance. You don’t see the profits until a real issue comes.
To many companies and individuals, a cyber-security threat seems abstract and distant. They feel like others can get hurt, but their product will somehow manage to stay safe. But that’s not true.
The number and sophistication of attacks continues to grow, as do the costs of every breach. Not to mention the non-material costs of losing your brand image. They say that nothing beats learning from experience, but in this case, it is way better to learn from the experience of others than from your own.
Cyber-crime – the threat is real
Cyber-security threats are increasing together with an exponential growth of connectivity and network reach. Internet is not a personal community of trust and respect. We are vulnerable to attacks more than ever before, across all industries, and company sizes -whether you believe it, or choose to ignore it.
Although many companies and individuals don’t see themselves as targets, the threat is real. According to Privacy Rights, there were more than 10 billion records breached since 2005. Companies suffered consequences of compromised personal data, including names, addresses, emails, dates of birth or telephone numbers of customers, which costed them billions of dollars and ruined their reputation.
When should you think about cyber security?
Companies that lack basic understanding of the risks that cyber-crime brings are especially exposed. In order to support your businesses, familiarise yourself with the Security Requirements Questionnaire included in the Microsoft Security Development Lifecycle (MSDL), an industry-leading software security assurance process.
Take a look at which products and services in particular should adopt the MSDL process, according to Miscrosoft:
- ‘Any software release that is commonly used or deployed within any organisation, such as a business organisation, government, or nonprofit agency.
- Any software release that regularly stores, processes, or communicates personally identifiable information or other sensitive information. Examples include financial or medical information.
- Any software product or service that targets or is attractive to children (13 years old and younger).
- Any software release that regularly connects to the Internet or other networks. Such software might be designed to connect in different ways, including:
- Always online. Services provided by a product that involve a presence on the Internet.
- Designed to be online. Browser or mail applications that expose Internet functionality.
- Exposed online. Components that are routinely accessible through other products that interact with the Internet.
- Any software release that automatically downloads updates. Any software release that accepts and/or processes data from an unauthenticated source.
- Any software release that contains ActiveX controls.
- Any software release that contains COM controls.’
If any of the above concerns your products or services, then do put particular emphasis on cyber-security.
Where to begin?
Firstly, you will need a solid analysis of system security requirements, resulting in the establishment of Security Requirements for your project. These requirements should be based on well-known and accepted standards, such as OWASP Application Security Verification Standard Level 2, as well as on legal requirements and company policy on data security. It should also include any business requirements and current system architecture and limitations.
Apart from analysing system security requirements, also focus on high-level system architecture. Take a look at potential attack surface too, and review the most critical parts of the system, such as those related to authentication and authorisation. Consider performing threat modelling using the STRIDE approach provided by Microsoft. This process not only identifies risks but also assesses and addresses them with countermeasures or mitigation techniques.
It is also important to review your software development process in respect to security activities recommended by Microsoft’s SDL process. This proposes improvements to reduce the risk of costly issues, improve the security and privacy of applications, and protect both the enterprise data and the reputation of your company.
All members of a software development team must receive appropriate training to stay informed about security basics and recent trends in security and privacy.
Don’t forget about penetration testing of your web application, server infrastructure and integrations with other systems in your corporate network. Pen testing adds value by delivering reports on issues found and by proposing guidance for improving system security.
Gartner’s guide to successful DevSecOps
DevSecOps is the incarnation of the “security is the priority” principle. Its goal is to create a mindset in the software development team in which everyone is responsible for the app security.
Even simple steps can protect your project against cyber security threats and improve the odds. Having good cyber security measures in place will help protect your customer data and therefore your reputation. Based on what Gartner’s analysts learned from their organisation and its clients, they prepared a 10-step guide to help you set your business on a successful DevSecOps path:
- Adapt your security testing tools and processes to developers, not the other way around.
- Quit trying to eliminate all vulnerabilities during development.
- Focus first on identifying and removing known critical vulnerabilities.
- Don’t expect to use traditional DAST/SAST without changes.
- Train all developers in the basics of secure coding, but don’t expect them to become security experts.
- Adopt a security senior specialist in the project and implement a simple security requirements gathering tool.
- Eliminate the use of known vulnerable components at the source.
- Secure and apply operational discipline to automation scripts.
- Implement strong version control on all code and components.
- Adopt an immutable infrastructure mindset.
As strong as the weakest link
Cybersecurity is not only about your company or your project. Your contribution adds value to the whole cyber community. Encouraging to use the security fundamentals makes everyone better off and creates your image as a trustworthy company.
In order to prevent cyberattacks, you need to act before it’s too late. Every company must have a fundamental understanding that the threat is real and everyone is a target. Many businesses consider cyber security a cost-boosting compliance task, that will only slow the project down, thus do only the necessary minimum in these terms. That’s a recipe for disaster.