The burden of software security often falls solely on security teams, but to be successful, organisations need to make security a team effort
Team projects can be difficult – remember group projects in school? – especially when individual motivations don’t align. But they can also be rewarding when work is shared and takes advantage of each team member’s strengths.
Software security is a kind of team project. Everyone in the organisation has an impact on security and risk.
You can install all the firewalls and intrusion protection systems you like at the perimeter of your organisational network, but none of that is worth anything if your employees are not being careful about security.
- Somebody might install their own unsecured Wi-Fi access point
- Somebody might install remote desktop software with weak or no authentication
- Somebody might prop open the back door of the building so they can slip out for a cigarette
- Somebody might click a bad link in an email and end up with malware running on their computer
Clearly, IT security is more than just buying equipment and installing it in your network. You have to see the whole picture, and then apply defensive layers as appropriate. And it requires your entire organisation – not just one team – to work together.
For example, to protect against users clicking bad links, you can apply multiple controls:
- Train users so they are less likely to click on sketchy links
- Use antivirus software, which prevents some bad things from being run
- Segment your internal network in case some malware gets installed so it can’t immediately spread to all parts of the network
- Examine egress traffic or use some sort of data loss prevention solution so that if malware gets inside your network you have a chance of finding if it attempts to contact attackers or exfiltrate data
- Have an incident response plan so if bad things do happen, you have a smooth and practised approach for responding
This is a comprehensive and reasonable approach to IT security. The problem is that time and money are finite – and malicious intent is infinite. You can never be 100 per cent secure. The challenge is to apply the available resources to achieve the greatest possible reduction in risk.
IT security is about using software; application security is about creating it.
Just as with IT security, application security (AppSec) is everyone’s responsibility. Unfortunately, when everyone is responsible, too often no one is responsible. Everyone assumes someone else has taken care of it.
The security of an application is the culmination of decisions made at all phases of development. Weaknesses can be introduced anywhere.
You can’t simply buy tools and apply them to the problem. It doesn’t do any good to locate and eradicate code weaknesses if the design of the application has inherent weaknesses. Likewise, if you rely on threat modelling, you might eradicate some design weaknesses, but you might write horrible, buggy code when you implement it. If you attack security from both the design and implementation phases, you can find and fix both design and code weaknesses, but that still won’t do any good if you deploy the application on an inadequate container image.
Perhaps you do everything right by incorporating security when designing, implementing and deploying the application. Even so, if a new vulnerability comes up in one of the open-source components of the application, you still have a big problem.
When we say that security needs to be part of every phase of software development, we really mean every phase, from design to maintenance. As such, it requires everyone involved to do their part.
by Jonathan Knudsen, Senior Security Strategist, Synopsys Software Integrity Group