Bake Security into your SDLC from the beginning

Man these look good!!

In 2015, 21M US Citizens records were hacked at the Office of Personnel Management. In 2016 Yahoo had 500M records for account stolen and lost $250M in equity when getting bought by Verizon. In 2016 there were SWIFT bank transactions totaling $18B stolen. Also in 2016 my good friend’s wife saw the MedStar hack first-hand when they did not patch their software and had a ransomware situation. At a hospital! Recently in 2019 there were refrigerators hacked in the UK because of lax security built in. (Yes REFRIGERATORS as IoT). Stop me if you have heard these and more! Security is a big deal. And with the “software is eating the world” movement and “every company is in the software development business” being preached, building secure software is even more of a HUGE DEAL for everyone.

This post (or rant, or evangelical musing) goes into a few ideas, best practices, rants, and other things I am begging you to implement as you and your groups develop software at a faster pace than your competition. It is not a “do all this and you will be safe” listing. There is no one-stop secure-it-all outside of going back to paper with invisible ink. The network, computers, mobile phones and Internet are here to stay. So let’s use them securely and correctly.

Maybe it is because I am in my 40’s and I lived through part of the cold war and 911 and have experience dealing with more threats than people remember today. Maybe it is because I am a seasoned CS person and it bugs me when people do not do the small things to secure software. Or quite possibly, it is because I have 3 different free “identity securing” companies monitoring me for free because people did not secure their systems correctly. Regardless, this is bugging me so I am going to mention my thoughts. I will give my soap box back when I am done…

Things to do in the here and now

Below is a listing of ways to implement security starting right now. I hope this is just a listing of things you are already doing. However, each year and each new project I work on I am finding that people do not do the things below consistently enough. And I do not see it being taught in schools, colleges, code camps, or the newer institutions that just teach you how to develop software. Please read through these below, pause, think on them, write down notes, or even comment on things I may have missed or could do better so others can get great software security ideas from you! We all need to get better at this as a group.

Ensure people understand and implement the OWASP Top 10

The OWASP Top 10 is a listing of the most critical web application software flaws encountered. The sad thing is this: the list has not really changed much since 2010. Things in here range from checking authentication, not validating and restricting input, cross site scripting, to access control. These are all things that can be mitigated or possibly avoided when given enough of the right attention. This listing every single developer, tester, project manager, and cybersecurity person should understand and think about from day 1. Start this at the napkin drawings, whiteboard sessions, even when writing proposals for going after work. This level of detail in thinking needs to be there from the outset or you will spend 2x as much money and time retrofitting it. I have been at companies I joined that asked me to do just that for them AFTER the fact.

OWASP.org Top 10 image from 2013

This is a big one here so make sure you and any people you work with know what this is and understand the issues and the ways to defend against them.

Test all access — every single time

You need to test access on data on every page load at all steps of the process you are mapping or automating. Do not just validate the login and then expect all data passed in forms and URLs (id’s, user information, etc.) to never ever be hacked at whether on purpose or on accident. Passing in an ID in the URL in plain site but not validating that the current person is 1) logged in and 2) is supposed to see that data and act on it allows episodes like I listed at the very top of this post to happen. You need routines to test the user and data access on page loads, API calls, etc. every single time. You may think it slows down the processing time but that few milliseconds of processing could save you hundreds of millions of dollars. Or maybe, just save you your job!

Test data going in and coming out every single time

It should go without saying you should test all data input. Really you are testing data integrity. For web forms and other HTML based things, that means making sure the data is valid (i.e. alphanumeric only, maximum and minimum length, use only numbers, no special characters, whatever your rules are) on every single data input. And any form button or link that posts or sends data should validate it client side AS WELL AS server side to be sure on the sending of data. Any data being sent out should also be validated before it is used. And any data coming from a database, an API, a file, a command line interface (CLI) should be validated before being used so you only use valid data and it is only used for functions or operations that are valid for that data.

Verify data coming and going

Some things I have run into are bad data in the database, APIs not validating data in queries, as well as data from other federated systems being trusted without being tested. “Trust but verify” comes to mind. Bad data could be from earlier issues fixed but that have not been cleansed (i.e. javascript code saved in a text area and used later when viewing the data). APIs that have data passed in via URL parameters not being checked has gotten my project / group into trouble as well. You can catch some of this with tools such as the ZAP tool, MicroFocus WebInspect, and other automated tools to help you catch these things before they go into production. However getting into this mindset as a cultural mantra across your projects will go a lot further as we are stronger together.

The rise of distributed systems, the “network being the computer”, Software as a Service (SaaS) systems, and eventual consistency across microservices exchange data behind the scenes only makes this harder and requires more vigilance. You need to test all egress and all ingress of data to and from your systems properly to mitigate against accidental or purposely harmful data.

Use DevSecOps to your advantage from the beginning

The latest talk over the last several years involves DevOps and DevSecOps where you have Security at the table. Really it should be SecDevOps or SecDevSecOpsSec. You must have security at all ends of this process. If you have an automated process that helps you build, test, delivery, and deploy your application code please ensure there are a few things in that process.

  • Static Scans of software through tools like SonarQube
  • Unit testing — the real kind where you are looking for issues not the “I have 80% coverage to check the box” kind of unit testing
  • Storing of artifacts you build and use (Nexus or Artifactory fit well here)
  • Scanning of software components, including open source libraries, NuGet, npm and Maven repos as well (Nexus or Artifactory fit well here)
  • If using containers, ensure you are scanning the image as well as the running container (image + environment + configuration) using tools such as StackRox, Twistlock, Anchore and the like
  • Use of Selenium or other UI testing like Cypress.io to catch issues in the user interface
  • Using JMeter or other performance testing tools to look for issues under high stress

You may not be able to do all of this right away however you should work to have this in your process and as automated as possible. Not only to get more secure software but higher quality software as well through constant proper testing.

Encrypt your Secrets/Passwords

Yes. I know. Why the &*%&$^ would I have to say this right? But I will say it. I do not like to ASS-U-ME anything. Please do not include your secrets and passwords in your code. Those passwords should be a configuration or environment thing and should be encrypted when in use just in case someone happens to get into your system or happens to run across the information. Make it harder to steal and to use. Just like flowing water, thieves go after the easiest route and path of least resistance.

And please cleanse your code of keys, passwords, .xxxxx files with secrets, etc. via code reviews or even a checklist to go through and check common places and problems in dealing with this. Get into the habit of purging this information from GitHub and other code repos. Let that be a gate before merging code into your develop, release, or master branches and tags.

Enforce strong passwords and multi-factor authentication

Again. Why the *&%$#@ would I say this as well? Because I STILL run into this. WTF. Seriously? Strong passwords have at least 1 uppercase, 1 lowercase, 1 special character, and 1 number. And they are over 12 characters long. Mine have 2/2/2/2 and are usually 20 characters or so long. I practice what I preach. And you should not use real words in them or replace 1 letter with a similar special character like ‘P@ssword’. Use a password manager app on your phone if you need to (after you secure your phone with a biometric lock like your face or finger or at least a PIN). But force strong passwords. And use things like the Google Authenticator app or other 2 factor devices (cards, RSA ID token generator, Yubikey, etc.) to have 2 ways you need to validate you are who you say you are in your applications.

Enforce strong passwords and multi-factor authentication (MFA) to secure your systems

While you are at it, make sure your own phone, internet account, bank account, credit card(s) account, and all other main pieces use this where you can. Even on Facebook. ESPECIALLY on social media! If your bank or company cannot support that, I suggest switching institutions as they do not take your privacy seriously regardless of what their marketing sites and brochures say.

Encrypt data at rest

Your data that is sensitive should be encrypted, whether it is your social security number or credit card last 4 digits with your name/address or some combination that can be used to fake identity. Encrypted with AES256 or higher encryption. Not just hashed and/or salted. Encrypted. There are more ways to do this now than ever including on the larger AWS and Azure platforms. Or just with SQL Server, Oracle, or even SQLite3. Use it. Computer processing power is so far along that the time to encrypt/decrypt in milliseconds is well worth the security of the system and its precious data.

Worst case do the encryption client side however, most of the time you can perform this on the server and set it to be done automagically by the systems themselves. You also want to use HTTPS to access APIs and websites or use other TLS mechanisms in your systems that talk across networks. Even if on your own private network or inside Kubernetes with software defined routing, you really should have mutual TLS between systems to ensure security and identity. There are more and more systems like Istio, Envoy, and the like that help you do this with older applications as well as newer API microservices in containers. Learn them and use them in a least-privileged manner as much as you can. Take the time to set that as a requirement up front.

Use Configuration Management to your advantage

I mentioned Nexus or Artifactory above on purpose. Those companies’ tools not only help with security concerns they help with configuration management. CM is one non-sexy thing people overlook and do not fund correctly. However, it is very important nonetheless and should be used to your advantage for security purposes at least. Tools like these above help you track what software you are using, at what level and what version. They also can help scan for vulnerabilities actively across an entire enterprise for you to know where issues lie and where to concentrate your security concerns. For larger enterprises or government organizations with tens or hundreds of applications, this is a no-brainer.

Configuration Management shows you what you have, where, how much, what versions, who is responsible, basically all the pieces you need to track and manage security across your software portfolio. There are tools like those mentioned above to help you automate this. Use them to your advantage!

Training on Security Concerns

This is one that people do not always like. However it is needed as well. And I am not talking on the DoD security training done in Adobe Flash (see the irony there!?!?). I mean real training that is either online, in person, done via mentoring sessions, or even done via conferences that is interactive and talks to security in your SDLC and design. Training is not just for the software developers and engineers. It is for testers and administrators and PMs and PjMs and anyone else involved anywhere in the production and delivery of software. Having a culture that treats security seriously means your software projects, however small they be, will have security in mind from the beginning.

So what now?

That is a lot of things to take into account. It is. And it should be. Security is no small feat. However you do not have to do them all at once. Those gaps you have now you should start to fill with some of these things for sure. And your smart people in your group can help you determine when and how you can implement these. Not all of these are free to do however all of these should be looked at to see where they can help you improve your software development security. Ask any white hat hacker, information assurance, or cybersecurity professional and they will probably say “Yes” on all these and maybe more. I know my cybersecurity friend is smiling as he reads this right now!

Security is every single person’s concern when it comes to development, integrating, and producing software and systems. Having this mindset and implementing several of these types of processes and tools mentioned above over time will get you into the habit of producing more secure software. And it will help your cybersecurity professionals sleep just a tiny bit better at night.

Ok. Rant done. I relinquish my soap box…for now.

--

--

--

CEO of Soteria Software. Developer on OpenRMF. Software Geek by trade. Father of three daughters. Husband. Love new tech where it fits. Follow at @soteriasoft

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Technology Convergence for the Integrity of Position and Time Data

Situation Room #8: Security leadership under COVID-19

About Corona Crypto

Cacti Biometric Unlock — Cacti Vault

Data Center 101: infrastructure, operations, markets

Save 4 percent of your turnover by taking steps to comply with the GDPR

Cybersecurity Against Social Engineering

[Project]How to perform active sniffing

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Dale Bingham

Dale Bingham

CEO of Soteria Software. Developer on OpenRMF. Software Geek by trade. Father of three daughters. Husband. Love new tech where it fits. Follow at @soteriasoft

More from Medium

Debug Walkthrough: Exploiting SSH MOTD and PHP Deserialization

Invoke PHP script deployed to Oracle Cloud Functions using Fn HotWrap

PHP Type Juggling

Safely Store Your Passwords with a Client-Side Web Application