Starting a new project is exciting with lots of new possibilities, interesting challenges, and the potential of great returns. There are also many questions like: Who do I have available? What’s the right technology? What data am I protecting? And, there is the inevitability that my deadline is tight and management wants to see an early demo in three weeks, so we need to move quickly on this. On and on it goes… So, you start prioritizing things to meet your deadlines. Alice is available to do the design and Bob is good with iOS (and quick, too). Great. But, I still need someone for Android… Oh yeah, security. Not sure about that one, but we’ll just put it behind a firewall and figure it out later.
Security is critical to this product. You know it, but you’re not doing anything about it – yet. It’s just this nagging little voice in the back of your mind as you’re rushing to meet your deadlines and show progress. Yes. We’ll get to it, but nobody can see whether it’s there or not in the demo. So, it’s easy to put off. STOP. How many large data breaches have you heard about in the last month? In the last week? As the custodian of the data that your application collects, you are responsible for keeping it safe and secure. And, if you think you’re immune because you’re a small to medium-sized business, think again. According to a PWC study, 74% of small businesses had a security breach in 2014 which was up from 60% in the year before.
More importantly, you will be asked about security from clients, customers, investors, and legal departments. You might not have all the pieces in place as you start out, but at least you want to have a plan to be ready with answers.
Having good security is good for your business. It’s better for your brand and improves the value of your offering. You may know all of this already, but with management tapping at your door, there is a strong temptation to push security later and later to accommodate higher “priorities.” However, security doesn’t have to get in the way. Good security is an attitude and a culture that you need to bring to the project. Every time you delay addressing security, you’re accumulating technical debt that will require repayment at some point – usually at the most inconvenient time.
What are some common security fallacies?
- Security by obscurity (No one really thinks about it in these terms.). A more likely thought process would be: “Don’t worry about that yet. We’re a small target. Who would attack us?” In reality, attackers have the tools, skills, and time to find and exploit hidden functionalities and stealthy backdoors. For example, United Airlines’ mobile application and Web application didn’t protect critical functionality in the same way. This glitch could have allowed attackers to gain access to valid MileagePlus numbers and use that to gain access to other unauthorized account data.
- Front Line / Perimeter Security. This is the idea of hiding an application behind a firewall and pretending that everything is okay. However, this is really not the case. According to Forbes magazine, 84% of attacks today happen through the application layer.
- It’s someone else’s responsibility (e.g. AWS will provide the security). Not to pick on AWS, but most hosting services are not in the business of securing applications. They provide the platform and security is your responsibility. This is well put by Colin Bodell, CTO of Time Inc.: “AWS is great for physical security and network security, but when you are building an application, you have to own that security yourself – Amazon does not know what you are building.”
To paraphrase an old security saying, the best time to start implementing security was yesterday, and the next best time is today. So, where do you start?
- Understand the data collected, transmitted, and/or stored, which parts need to be protected, and the best approach to protect them.
- Authentication and authorization: Are you going to offer federated authentication (e.g. OAuth, OpenID, etc.) or use your own – or both?
- Review the OWASP top 10 and generate a set of secure coding guidelines that will work for your team.
- Minimizing your attack surface: What are the number of entry points that could be used to attack the application? What is VPN-accessible only? What walls exist internally to contain the scope of a breach?
- Maintain an inventory of all third-party libraries and components that you use.
- Raise internal awareness that security matters, so good practices take root and continue to grow. Security is a moving target.
If you’re not sure what some of these things are or how to go about them, simply ignoring the problem won’t improve it. Look to partner with someone who has a good security process and learn through doing, or bring in an expert. Starting here will give you a good foundation for future security activities.
Guest Author: Sherif Koussa, Director of Application Security Services, Software Secured