Prioritizing cybersecurity

In this post, DevelopIntelligence instructors Frank Rietta and Vikas Rewani discuss prioritizing cybersecurity. This involves secure software development practices, as well as cross-functional security planning and training.

Unfortunately, the quest to be first-to-market with new products and features sometimes leads organizations to cut corners in the software development process. As a result, companies too often release functionality without thorough security testing. Despite increased cyberthreats, many project owners consider security as a low-priority requirement. They do not allocate sufficient budget and resources to address security needs.

Typically, startups need to produce revenue quickly in order to attract and retain investors. However, this speed-first mindset can persist as a company grows. For example, are you incentivizing your team to get products into customers’ hands rapidly?

Constrained budgets and timetables can lead companies to prioritize “visible” bells and whistles over “invisible” security features. You can see this bias in the quality control and automated testing practice. Often, a test plan focuses on what the user is supposed to be able to do, as opposed to what they might do in a worst-case scenario. What if someone abuses the software by inputting invalid or intentionally malicious data?

In short, prioritizing cybersecurity requires adopting secure software development processes.

“Best security practices balance the need for speed and vigilance.”  — Frank Rietta

The structure and siloing of a large enterprise organization can thwart security efforts. For instance, security often lives under the IT umbrella, while software development is part of R&D.

Further, organizations may utilize a combination of technical resources—in-house, outsourced, onshore and offshore—all reporting to different people, who have varying business goals.

For optimal security, an organization’s security and development teams need to work together closely. “Security cannot accomplish its goal without involving those who can actually change code,” explains Frank Rietta, who teaches Threat Modeling, Secure Coding, and Security Project Management with DevelopIntelligence. “If R&D views the security group as ‘outsiders’ or ‘paranoid,’ and goes to production effectively ignoring security, then the enterprise will not be successful at reducing organizational risk.”

Additionally, a comprehensive security strategy requires collaborating across all departments in an organization. Human resources, customer service, and other areas can be entry points for cyber attacks.

“Every domain, organization, department, and team has specific security needs,” notes Vikas Rewani, who leads DevelopIntelligence courses in Threat Modeling, OWASP Top 10 Vulnerabilities, and Security Architecture. “While there are some commonalities across groups, it’s important to consider the following topics when designing your security strategy.” The details for each topic often vary by organization and even by department:

1. Regulatory requirements
2. Compliance requirements
3. Network/infrastructure requirements
4. Physical security requirements
5. Information/data security
6. Data purging and backup requirements
7. Web security requirements

Software development teams need to plan for security during the requirements phase of the software development lifecycle (SDLC). Just as it’s important to have QA at the table when defining software requirements, you want a security expert involved on the ground floor of every software project. For each requirement (or user story), the team should ask themselves, “What’s the worst thing that could happen?” Then, they need to make sure the acceptance criteria addresses that worst-case scenario.

“Remember, a security team cannot be successful if they lack cooperation from other teams. In big organizations, silos and competing interests among those with budget authority can lead to unproductive corporate politics and leave organizations at risk.” — Frank Rietta

Prioritizing cybersecurity is a critical non-functional requirement in all development efforts. It’s far easier to build in security at the outset of a project than to fix a vulnerability after a product is already in customers’ hands, or worse, after a breach has occurred.

“Developers need to be able to anticipate potential security vulnerabilities and threats,” explains Vikas Rewani. “Then, they need to build the software with these security considerations in mind.”

Additionally, your entire organization needs a basic understanding of the overall security landscape. “Prioritizing security is the responsibility of every employee,” says Vikas Rewani. So, you need to do a pulse check in every department to gauge team members’ awareness of and attention to security issues. “Do team members know what issues to look for and why they are important?” he asks. “Are they looking often enough and in the right places? And most important, if a team member spots an issue, does the person know the steps for responding?”

A comprehensive security training plan encompasses all the topics above, tailored by department. Training also needs to highlight industry and domain-related best security practices. All employees need to understand the importance of security and the consequences of ignoring it.

Threat modeling provides a good understanding to the security team of how attacks can happen. In brief, the threat modeling process includes identifying potential attack surfaces, trust boundaries, assets, access points, and threats. Then, the security team needs to prioritize these threats and secure attack surface entry points.

Larger organizations have a bigger attack surface, which means more potential threats. Threat modeling methodologies and frameworks lack automation and require manual efforts plus constant vigilance.

Once upon a time, many organizations focused on firewalls and other security products to protect their data assets. Most cyberattacks, however, happen because of human errors and broken business processes instead of inadequate tools. So, equipping your company with more security tools isn’t going to provide the protection you need. Well-trained humans are the linchpin of your defense. Prioritizing cybersecurity is ultimately about people, processes, and technology (in that order).

About Vikas Rewani

Security evangelist Vikas Rewani is a certified Threat Modeling Application Security Champion and certified Application Security Champion. He earned his Bachelor of Engineering degree in Computer Science & Engineering from Rajasthan University. With expertise in threat modeling, OWASP Top 10 vulnerabilities, and web security, he designs and conducts customized security training on topics such as Secure Coding, Security Architecture, and Microservices-related security practices. 

About Frank Rietta

Frank Rietta holds a M.S. in Information Security from Georgia Institute of Technology. He is a web application security architect, expert witness, author, speaker, and CEO of Rietta.com. He successfully lobbied the Georgia Governor’s veto of a cybersecurity law that would have prevented important security research. Rietta contributed to the security chapter of the 7th edition of the Fundamentals of Database Systems textbook published by Addison-Wesley.