12 Steps to Secure Software

post thumb
Best Practice
by Christian Schneider / on 13 Apr 2024

Secure Software Development

In the rapidly evolving landscape of digital technology, the Secure Software Development Lifecycle (SSDLC) emerges as a crucial bastion against the ever-increasing threats in cyberspace. Yet, many companies, particularly those at the nascent stages of their cybersecurity journey, grapple with where to begin. This article aims to demystify the path forward, spotlighting the low-hanging technical fruits in secure software development that can substantially bolster your defenses.

12 Technical Leverage Points

The twelve steps I’ve outlined are intentionally focused on technical measures, chosen for their ability to scale swiftly across a corporation and make an immediate impact on enhancing cybersecurity. However, it’s crucial to recognize that the journey to robust IT security doesn’t end here: Process and organizational measures play an equally vital role in creating a comprehensive defense strategy. These aspects, which encompass the broader cultural and procedural framework within which technology operates, will be the focus of my follow-up article, ensuring a holistic approach to securing your digital landscape.

Within this article, each of the twelve security steps is not only dissected for its inherent value but is also aligned with DevSecOps principles, highlighting its relevance in integrating security into continuous delivery and deployment workflows. Additionally, for organizations leveraging the cloud, guidance is provided on how each step can be effectively applied in a cloud-based setting, ensuring a comprehensive security posture that resonates with both traditional and modern IT environments.

0.Awareness
Before we dive into the 12 essential steps to secure your software development, let’s talk about my sneaky step 0: Awareness. It's like the invisible ink of my security blueprint: not officially one of the 12, but underpinning everything we do. Just remember, while implementing these steps, awareness should already be twinkling in the back of your mind, laying the foundation for a fortress of security.
 
Why

Awareness is the foundational step in any cybersecurity strategy, crucial for understanding the importance of security measures and fostering a culture of vigilance. By recognizing the potential risks and the impact of security breaches, organizations can prioritize and commit to comprehensive security practices.

NIST mandates the implementation of security awareness and training programs as part of its comprehensive cybersecurity guidelines, ensuring that all personnel are educated about their roles in safeguarding information systems. For more details, refer to NIST Special Publication 800-50.

How

Cultivate awareness through regular training sessions, engaging seminars, and updated security briefings that keep all employees informed about the latest security threats and best practices. Additionally, utilize internal newsletters, security awareness posters, and e-learning modules to ensure that security remains a visible and ongoing priority throughout the organization.

Incorporate Live Hacking Events as powerful eye-openers to demonstrate real-world vulnerabilities and the ease with which breaches can occur.

 
 

Now, let’s begin to uncover the 12 technical leverage points…

1.Patch Management of Systems & Dependencies
WhyThis is an excellent starting point, as keeping systems and dependencies up-to-date through Software Composition Analysis (SCA) is one of the most effective ways to protect against known vulnerabilities with relatively low effort.
HowImplementing this step can involve using scanners like Grype or Trivy to detect vulnerabilities in your built artifacts, and tools like OWASP Dependency Check or OWASP Dependency Track for managing library dependencies. These tools scan your project dependencies against a database of known vulnerabilities, providing insights and recommendations for updates or patches.
EffortMedium: The initial setup and integration into your development workflow can take some time, but once configured, these tools run automatically, making the effort mostly upfront and then periodic for updates and reviews.
DevSecOpsYes: These tools can be seamlessly integrated into DevSecOps CI/CD pipelines.
Cloud

Cloud environments often automate the patching of hosted services and infrastructure, significantly easing this aspect of security management. However, for custom applications and third-party dependencies, the responsibility usually falls on the cloud customer to ensure they are regularly updated, leveraging tools provided by the cloud platform for automation where possible:

 
 
2.Hardening of Infrastructure & Configuration
WhyHardening systems early in the security enhancement process is wise, as it reduces the attack surface by eliminating unnecessary services and securing configurations, providing a strong foundation for subsequent steps.
HowHardening Infrastructure and Configuration involves adhering to secure standards like CIS Benchmarks, using specific tools for Docker and Kubernetes security assessments, leveraging minimal footprint images for containers, employing IaC scanning with tools like KICS, and conducting Linux system audits with Lynis.
EffortHigh: Initial setup and understanding of benchmark standards can be time-intensive, but adopting automation tools can streamline the process.
DevSecOpsSomewhat: Security scans of infrastructure can be automated to run at regular intervals outside of commit pipelines, ensuring ongoing security assessments without impeding the continuous integration process. IaC scanners can be integrated into CI/CD pipelines to catch misconfigurations early.
Cloud

Utilize the cloud provider’s best practices like setting up security groups, network access controls, and ensuring that default configurations are changed to secure settings. Automation and template-based deployments can help maintain consistency across environments. Where possible, leverage cloud-native security tools to monitor and enforce security configurations:

 
 
3.Static Code Analysis
WhyIntroducing automated tools to identify potential security issues in the codebase is a logical next step after securing the underlying infrastructure, as it builds security directly into the software development process.
How

Static Code Analysis can be performed using commercial tools or a blend of the following open-source tools, depending on your programming language:

EffortMedium: While integration into the development workflow is straightforward, setting up and configuring the tools to suit your specific needs may require some initial investment in time.
DevSecOpsYes: These tools can be easily integrated into CI/CD pipelines to automatically scan code for vulnerabilities.
Cloud

Cloud-based tools can be configured to scan source code during the build process, providing real-time feedback to developers on security issues, for example:

 
 
4.Secure Coding Requirements
WhyEstablishing and adhering to secure coding standards is a natural progression from static code analysis, ensuring that developers are guided by best practices from the outset.
HowDevelop Secure Coding Requirements by customizing guidelines based on your tech stack, referencing OWASP Top 10 and OWASP API Top 10 for common vulnerabilities and using OWASP Cheat Sheet Series for best practices in specific areas like authentication, session management, and encryption. It’s crucial to include fundamental security principles such as Separation of Data & Code, Input Validation, Least Privilege, Fail Safe Defaults, Encapsulation and others.
EffortLow: Customizing secure coding guidelines requires just an initial investment to align with your specific environment.
DevSecOpsNo: Secure coding requirements are more about setting an initial standard rather than direct CI/CD integration. Compliance is typically verified through code scans, already covered in Step 3.
Cloud

Use cloud-based development environments that enforce these practices and offer real-time feedback to developers on security issues. Seize the resources provided by cloud platforms to educate developers on secure coding practices and ensure compliance with security standards:

 
 
5.Secure Coding Training for Developers
Why

Training developers on security best practices (referencing the secure coding requirements) complements the previous step by reinforcing the importance of security and empowering developers to write secure code.

NIST mandates the implementation of security awareness and training programs as part of its comprehensive cybersecurity guidelines, ensuring that all personnel are educated about their roles in safeguarding information systems. For more details, refer to NIST Special Publication 800-50.

HowEffective security training should be engaging, with a mix of hands-on exercises and real-world scenarios that resonate with different roles within the organization, from developers and testers to architects and ops teams. Tailoring content to the company’s tech stack and deployment strategy makes the training more relevant and impactful. The training should emphasize the overarching aspect of Defense in Depth: Layering security measures so that if one mechanism fails, another is in place to protect the system.
EffortHigh: Creating comprehensive, role-specific training that’s both informative and engaging demands substantial resources but stands as a strategic investment towards fostering a sustainable security culture and mitigating risks effectively.
DevSecOpsNo: Security training isn’t directly integrated into DevSecOps pipelines.
Cloud

Leverage online platforms and cloud provider resources for up-to-date security training tailored to cloud development. Encourage participation in cloud-specific security training programs and certifications to build awareness and expertise:

  • For AWS, explore the AWS Training and Certification for Security, which offers various resources to help developers understand security best practices, including secure coding for cloud environments.
  • For Azure, Trust Center provides a comprehensive guide on developer security best practices.
This step is positioned later in the sequence primarily because comprehensive security training does not scale as swiftly across larger organizations compared to earlier measures. In smaller companies, implementing widespread training might be more feasible early on due to fewer personnel, allowing for quicker, organization-wide education. 
 
 
6.Internal Application Security Verification
WhyConducting internal reviews and verifications of application security helps identify and mitigate issues early, leveraging the foundation built by the preceding steps.
HowFor Internal Application Security Verification, utilizing frameworks like OWASP ASVS provides a comprehensive checklist for verifying the security of web applications against industry-standard benchmarks. Tailoring these guidelines to fit the specific needs of your organization enhances the effectiveness of your security practices.
EffortMedium to High: Implementing a thorough security verification process using standards like OWASP ASVS requires an initial investment in understanding and adapting the guidelines, but the ongoing effort ensures robust application security.
DevSecOpsSomewhat: While OWASP ASVS isn’t directly integrated into DevSecOps pipelines, its guidelines can inform automated security testing and code review processes, helping to maintain high security standards throughout the development lifecycle.
Cloud

Conduct security assessments using cloud-native tools or third-party solutions integrated with the cloud environment:

  • For AWS, the AWS Security Hub provides a comprehensive view of your security state within AWS environments and can automate checks against security industry standards.
  • For Azure, the Azure Security Center offers a unified infrastructure security management system that strengthens the security posture.
 
 
7.Threat Modeling
WhyThis step involves a more strategic assessment of potential threats and is appropriately positioned after some internal security measures have been established, allowing for more informed threat modeling.
HowInitiate threat modeling with guidance from the Threat Modeling Manifesto to understand principles and practices. Integrating free tools like AttackTree and Threagile offer structured methodologies for identifying threats in a top-down and bottom-up manner, respectively. Typically, this process is led by a security architect or a dedicated coach for the initial models to ensure thoroughness and accuracy.
EffortMedium: Initially high as the team learns the process and creates the first set of models with expert guidance. Over time, maintaining and updating these models as part of regular development cycles requires significantly less effort, becoming more efficient as the team gains experience.
DevSecOpsSomewhat: Threat Modeling can be partially integrated by using tools with APIs or CLIs, such as Threagile and AttackTree, to automate checks against threat model outcomes.
Cloud

Use threat modeling tools with cloud-specific templates to assess risks and design mitigations. Ingest cloud-specific tool suggestions from the cloud provider’s security resources:

  • For AWS, the AWS Well-Architected Tool can help you review your workloads against AWS best practices and identify potential security risks.
  • For Azure, the Microsoft Threat Modeling Tool provides threat modeling capabilities to help you identify and mitigate security risks in your Azure environment.
 
 
8.External Penetration Testing
WhyBringing in external experts to test the security of applications adds an additional layer of scrutiny and is well-timed after internal assessments and threat modeling.
How

Penetration testing to uncover vulnerabilities not prevented or detected earlier comes in various forms:

  • Black Box with no prior knowledge,
  • Grey Box with some knowledge about the architecture and tech stack, and
  • White Box with full knowledge usually including source code access.

For structured methodologies, refer to the OWASP Testing Guide for comprehensive insights. Also, it’s important to establish a feedback loop from the findings to understand the root causes and adjust internal practices accordingly, preventing future regressions.

EffortHigh: Due to the need for specialized skills and the comprehensive nature of the tests. External penetration tests are periodic but crucial for uncovering vulnerabilities that internal measures might miss.
DevSecOpsSomewhat: Integrating DAST tools into CI/CD pipelines offers a step towards automation by simulating external attacks on live applications, although it doesn’t encompass the full scope of manual penetration testing. Insights from both DAST and manual tests should inform and enhance DevSecOps practices to preemptively address potential vulnerabilities.
Cloud

Use approved methods and tools to test the security of cloud-hosted applications and infrastructure from an external perspective, identifying vulnerabilities that could be exploited by attackers. Coordinate with cloud providers to comply with their penetration testing policies and procedures:

 
 
9.Secure Authentication & Authorization
WhyFocusing on robust authentication and authorization mechanisms is crucial and requires the secure foundation established by earlier steps to be effectively implemented.
How

Enhance your application’s security by elevating Authentication and Authorization mechanisms. Implement Multi-Factor Authentication (MFA), enforce strong password policies, and apply the principle of Least Privilege across all access points. Utilize trusted authentication providers and protocols to ensure robust security. In Microservice architectures, adopt a Zero Trust approach by propagating tokens inside the backend (using a Service Mesh might help here), thereby decentralizing authorization and making it harder for attackers to move laterally within the system.

This strategy integrates advanced security practices into your application’s authentication and authorization layers, significantly reducing the likelihood of unauthorized access and enhancing overall security posture.

EffortHigh: Implementing advanced authentication mechanisms like MFA and integrating Zero Trust architecture requires a significant initial setup and ongoing management to ensure compliance and effectiveness.
DevSecOpsSomewhat: To effectively integrate authentication and authorization into DevSecOps, consider automating authorization testing as recommended by OWASP. Utilize the guidelines in the Authorization Testing Automation Cheat Sheet to ensure that authorization mechanisms are consistently validated throughout the development lifecycle, enhancing security and compliance with minimal manual effort.
Cloud

Implement cloud-native identity and access management (IAM) services to manage user identities, permissions, and access controls. Utilize multi-factor authentication, role-based access control, and least privilege principles to secure access to cloud resources:

  • For AWS, AWS IAM allows you to set up and manage permissions in a granular manner. For enabling MFA for end users in AWS, refer to the Amazon Cognito documentation.
  • For Azure, Entra AD offers comprehensive identity and access management, both in the cloud and on-premises. For enabling MFA for end users in AWS, refer to the Entra AD B2C documentation.
This step is positioned later due to the potentially high effort required to enhance authentication and authorization mechanisms, particularly in complex, large-scale, or legacy systems. This step can be more resource-intensive and challenging to implement across grown architectures. However, if your architecture is simpler or currently under development, prioritizing this step earlier could be more feasible and impactful. 
 
 
10.Encryption of Sensitive Data
Why

Encrypting sensitive data is crucial not only for ensuring privacy and security but also for complying with data protection regulations like GDPR and CCPA. Following the principles of privacy-by-design, encryption should be integrated after secure authentication and authorization frameworks are established to provide a comprehensive security posture.

As Amazon CTO Werner Vogels famously said: “Dance like nobody’s watching, encrypt like everyone is.” This emphasizes the need to assume that external scrutiny is constant, underscoring the importance of rigorous data protection practices.

How

Implement encryption effectively by distinguishing between in-transit and at-rest requirements:

  • For in-transit data, secure all forms of communication, not just HTTPS traffic, by implementing protocols like TLS for JDBC and other messaging protocols.
  • For data at-rest, focus on employing strong encryption standards and robust key management practices. This involves not only choosing the right encryption algorithms but also ensuring the secure generation, storage, and handling of encryption keys to prevent unauthorized access.
EffortMedium to High: Implementing effective encryption strategies involves setting up protocols for both data in transit and at rest, alongside managing encryption keys securely. The effort includes both technical implementation and ongoing management to ensure compliance and maintain security.
DevSecOpsSomewhat: Encryption practices should be integrated into DevSecOps by automating key management and renewal processes, and by ensuring encryption standards are maintained throughout the software development lifecycle.
Cloud

Employ cloud services for data encryption, both at rest and in transit, using the cloud provider’s built-in encryption capabilities. Ensure proper key management practices, possibly using the cloud provider’s key management service, to secure encryption keys.

This step is positioned later in the process because implementing encryption across large or legacy architectures often requires considerable effort and can be resource-intensive. This makes it a more challenging step for established systems. However, if your system architecture is straightforward or currently in the developmental phase, integrating encryption earlier might be more manageable and beneficial. 
 
 
11.Security Monitoring & Incident Response Plan
WhyImplementing Security Information and Event Management (SIEM) systems and developing incident response plans are complex but essential steps for identifying and responding to security incidents efficiently.
How

Implement a Security Information and Event Management (SIEM) system to gain real-time insights into your application’s security posture. Additionally, integrating OSSEC can enhance host-based intrusion detection by monitoring parameters such as log files, file integrity, and rootkit detection. This allows for swift detection and response to threats. Utilize open-source tools like ELK Stack (Elasticsearch, Logstash, Kibana) for logging and monitoring.

Develop a robust Incident Response Plan to effectively manage and mitigate the impacts of security incidents, ensuring continuity and maintaining trust. Refer to the NIST Incident Response Guide for structured approaches. Remember to include post-mortem root-cause analysis to learn from incidents and improve security practices as a feedback loop to the aforementioned steps.

EffortHigh: Setting up a SIEM system and developing an Incident Response Plan require significant investment in terms of both time and expertise. Initial configuration, integrating various tools like OSSEC with the ELK Stack, and ensuring all components are working cohesively are complex tasks. Regular updates and training are also necessary to maintain efficacy.
DevSecOpsNo: Direct integration of SIEM into DevSecOps CI/CD pipelines is not typically feasible, as SIEM functions primarily focus on security monitoring and incident management within live production environments.
Cloud

Develop an incident response plan that leverages cloud services for rapid response and recovery, and ensure it’s regularly tested and updated. Adopt cloud-based SIEM solutions that offer integrated logging, monitoring, and real-time analysis of security alerts:

  • For AWS, refer to AWS Security Hub as well as AWS GuardDuty for intelligent threat detection.
  • For Azure, Azure Sentinel provides extensive SIEM capabilities, offering integrated threat intelligence, real-time analysis, and rapid response.
 
 
12.Security Metrics & Key Performance Indicators
WhyFinally, establishing metrics and Key Performance Indicators (KPIs) for ongoing monitoring and improvement of security practices is a strategic way to close the loop, ensuring continuous assessment and enhancement of the security posture.
How

Implement metrics that highlight areas needing attention and track improvements over time. Dashboards should be utilized to make security metrics visible to project managers, emphasizing the importance of security within project KPIs. Tools like OWASP Defect Dojo can be used for tracking lower-level security issues, but it’s crucial to also aggregate these findings into higher-level metrics that can be visualized and monitored in broader management tools. This approach not only highlights vulnerabilities but also supports proactive security management by making (in)security a visible and quantifiable aspect of project performance.

It’s crucial to develop KPIs from security metrics (such as findings from SCA, SAST, DAST, Penetration Tests, and Threat Modeling) that incorporate the time factor to monitor improvements or persistence of vulnerabilities over time. Metrics like the Average Time of Exposure of high-risk findings in production environments are especially valuable, as they provide clear indicators of how quickly security issues are being addressed and resolved.

EffortMedium to High: Establishing and maintaining security metrics and KPIs requires a significant upfront effort to define the right metrics, integrate data collection tools, and set up dashboards. Once established, the ongoing effort required to analyze and update these key figures based on current data is reduced with automation of tools.
DevSecOpsYes: Integrating security metrics and KPIs into DevSecOps involves incorporating automated scanners and tools to continuously track and report on these metrics throughout the CI/CD pipeline.
Cloud

Use cloud monitoring and management tools to track security metrics and KPIs. These should include measures of compliance with security policies, incident response times, effectiveness of security controls, and user access and activity monitoring:

  • For AWS, CloudWatch provides detailed monitoring and analytics.
  • For Azure, Azure Monitor is key for tracking security metrics and KPIs.
Defining and integrating metrics and KPIs into an organization's processes is a complex challenge, which I will explore in depth in my upcoming article on Process & Organization aspects. 
 
 

Does the sequence matter?

The journey towards a Secure SDLC doesn’t require a simultaneous overhaul but a strategic, step-by-step approach. Each organization’s unique context, risk profile, and resource availability can influence the prioritization of these steps. However, for businesses operating with limited resources, progressing from step 1 to 12 provides a logical and efficient pathway:

Notably, the initial focus on Patch Management of Software & Dependencies, coupled with the Hardening of Infrastructure & Configuration, is strategically designed to mitigate the risk of the most common and easily exploitable vulnerabilities. These initial steps are crucial in defending against automated, untargeted attacks perpetrated by threat actors using automated exploit kits, effectively targeting the “lowest-hanging fruits” among potential vulnerabilities.

This approach not only prioritizes immediate defenses against prevalent risks but also sets a solid foundation for advancing through the subsequent leverage points with a progressively fortified posture.

Looking Ahead

In embracing these initial steps, companies can not only elevate their security but also lay a foundational culture of security that permeates every aspect of the development lifecycle. For those seeking to navigate these waters with expert guidance, services such as Secure Software Development Training, DevSecOps Coaching, and Agile Threat Modeling offer a beacon, ensuring that your journey towards secure software development is both strategic and seamless.

Process and Organizational Aspects

While the above presented twelve technical adjustments can significantly enhance your security posture, they represent just one facet of a comprehensive security strategy. The more layered organizational and process-oriented enhancements will be the subject of a forthcoming article, providing a holistic roadmap to a mature, robust Secure SDLC.

Vendor Partnerships and Their Unique Challenges

Addressing vendor-related security within the software ecosystem necessitates a nuanced approach to the presented twelve steps, particularly when considering the diversity of vendor relationships:

  • Custom Development Vendors who program specifically for your needs and deliver the source code.
  • On-Premise Software Vendors supplying built software for deployment within your own infrastructure.
  • SaaS Providers offering solutions hosted on their platforms, accessible over the internet.

Each type of vendor engagement introduces distinct security considerations, from scrutinizing the delivered source code of custom development partners to ensuring the secure configuration and ongoing maintenance of on-premise solutions, and evaluating the data handling and storage practices of SaaS providers.

Given the intricacies and the importance of securing each touchpoint, a focused examination of Vendor Application Security Testing (VAST) becomes indispensable. In an upcoming installment dedicated to this topic, I’ll explore effective strategies to fortify your security posture against potential vulnerabilities introduced through third-party engagements.

Upcoming Articles

Stay tuned for my upcoming installments, where we’ll look deeper into the organizational and process-wise enhancements that further solidify your Secure SDLC as well as explore Vendor-related topics with VAST.

Subscribe to my newsletter below to ensure you’re first to be notified of my follow-up articles.

Web Security Bootcamp
Join my upcoming two-day online training event:
20. – 21. February 2025 (click here to see details)