Avoid data breaches by adopting a Secure Development Lifecycle (SDLC)
Keep data on lockdown
Data security problems come at a big cost for big businesses. Just look at the record-breaking $650M Equifax settlement, Target’s estimated $18.5M payout, and Facebook facing a $29M security lawsuit. This list goes onto include other big names like Capital One exposing 100M+ customer’s sensitive information, which resulted in ousting the Chief Information Security Officer (CISO). Simply removing the CISO doesn’t right the wrong.
Organizations with subpar security practices risk losing everything. Cybersecurity needs to be factored in from the initial stages of product development and not an afterthought. A security breach crisis is avoidable.
Developers should adopt a security mindset during all stages of product development, otherwise known as the practice of SDLC. Addressing security from the get-go and prioritizing it—even for clients with security teams in place. After all, preventing a bug is always better than fixing one later on.
– The Computer Business Review
“The Systems Sciences Institute at IBM reported that the cost to fix a bug found during the implementation stage is approximately six times more expensive than one identified during design; the cost to fix an error found after product release is then four to five times as much as one uncovered during design, and up to 100 times more than one identified during the maintenance phase.”
Consider critical aspects
When defining product requirements, keep the following in mind:
Transport protocol: Consider data link protocols for how (data) packets move from one node to another. According to PC Magazine, transport services are defined in layer 4 of the OSI (Open System Interconnection) model, an ISO standard for worldwide communications. This model defines a framework for implementing protocols in seven layers.
User input data and session lengths: Look at how the system stores user data—both information users enter and metrics regarding the duration of their sessions. Does the system need to use this information, and, if so, how?
Data security (or information security): Examine measures barring unauthorized digital access and protecting data from corruption. These include backups, data masking, data erasure, encryption, and authentication.
Automate a security workflow
To reduce security costs, implement a workflow for both static (scanning the source code) and dynamic (scanning the deployed testing version) code analysis. This workflow includes reviewing code to find and fix bugs with security scanners and analyzers—as well as reporting findings back to the development team.
Workflow example using OWASP
Static code analysis. OWASP SonarQube perfectly integrates with the development of code and launches either from a continuous integration (CI) environment (such as TeamCity or Jenkins) or a local machine. Since the scan is attached to the build process, there is no overhead cost for development. After a successful build, the scan results populate automatically.
Dynamic code analysis. The dynamic analysis tunes into the deployed testing environment. OWASP Zap is a great integration tool since it uses API. With the whole deployment chainset and a successful push to a testing environment, make the call to the scanner. The URL passes as a parameter, and later on, the scanner outputs the results to the desired destination.
Penetration test. When static and dynamic analyses run throughout the development of the product, the final touch is a penetration test. Following the OWASP Web application security checklist, the analysis is performed for the product. Since the automated scans look for low-hanging fruit, the manual test focuses on the more in-depth logical tests. Usually, the problems exist under data validation, a different understanding of what is privacy-focused, and exposing API methods. For these kinds of tests, implement a manual review.