Whether it is personal banking, completing our tax returns, controlling the heating system in our homes or running our personal lives, we are all dependent on software applications. Consequently the impact of a security breach ranges from the inconvenient to the positively damaging.
The challenges people are facing
People in starts up, corporate organisations and vendor organisations, are responsible for ensuring that these software applications are security hardened and remain secure throughout their lifetime.
They face this particular challenge against a backdrop of increasing complexity and velocity in the form of competitive pressure to reduce time to market, pressure to create more feature rich interactive user experiences, within dynamic ever changing environments when it comes to tools and techniques and an ever-changing web infrastructure, which is exposed to threats from people with good and bad intentions.
How can we overcome these threats?
We need adopt a security-first mindset that places security front, right, left, and centre of everything that do at an individual, team and organisational level.
Responsibility of Product Teams
Product Team members must take ownership of the security and understand the part that they have to play within the limits of their role and beyond. That could be a user interface (UI) designer considering the security implication of a feature, a developer applying the principle of least authority to user authentication, or crafting a minimal query on a dataset, or an architect working on a strategic product vision.
Security-first can drive innovation
We should not view security-first as a constraint, on the contrary we should be liberated by it. There should be no trade-off between usability and placing security-first. Security-first represents an opportunity to seek complementary solutions e.g. using biometric recognition for authentication.
Bootstrapping the CISO role and department
The CISO and security department or groups must move beyond the compliance model, to support the rest of the organisation to reach a security first perspective, through training, awareness, and continuous vigilance. We need to move from a generic sense of application vulnerabilities to a specific real-time assessment of application’s vulnerabilities.
Interdisciplinary teams over multi disciplinary teams
We need to move away from multi-disciplinary teams, people from different disciplines working together, to interdisciplinary teams of people integrating knowledge and methods from different disciplines, using a real synthesis of approaches.
Privacy and security are inextricably linked
Given that 84% of security breaches occur as a result of social engineering, we should accept that Security and Privacy are inextricably linked. We must invest time in updating peoples awareness of the latest patterns and threats. We must be aware of new vulnerabilities such as Differential Privacy, a product of big data, and its associated techniques that ensure that large datasets can be queried without compromising an individual’s privacy. That is to say, we need to allocate time for people to assimilate new tools and patterns and understand where to apply them within a security-first context.
Business as usual is a nonsense
We need to move away from the traditional product development cycle, with the implications that products are developed deployed and transferred to a Business As Usual (BAU) support team doing occasional updates and bug fixes.
Commercial managers need to recognise the challenge
Commercial sponsors need to embrace mature Total Cost of Ownership (TCO) models, that address the total lifetime of a product, without the need to factor in the costs of a security breach.
We can meet the challenge by adopting a security-first approach
Organisations are under significant pressure to build applications that are secure and remain secure throughout their lifetime, however, this challenge can be met if we adopt a security-first approach. What this means in practice is some realignment of focus, education and awareness across all roles within an organisation.