Innovative Solutions for Enterprise
Software Development
The
complexity of information systems and the sophistication of cyber adversaries
has created the need for cost-effective solutions to secure the organization’s
digital assets (Harris, 2020). A somewhat
simplistic statement might be “if the mitigation of risk costs more than the
potential loss, it is not a solution” (Stewart et al., 2013). Before
accepting a “do nothing” approach to a given risk factor, organizations must
take a critical look at the cost-effectiveness and efficacy of their secure
software development strategy.
Architecture
Planning
Software is developed to support specific business needs. The balance between innovation, security, and
functionality as well as the organization’s strategic objectives cannot be
understated. There are five key
characteristics that must be considered:
·
Scalability
·
Security
·
Interconnectivity
·
Performance
·
Cost
In large organizations, digital assets consist of a
wide array of software and physical systems that most often include cloud-based
services, hybrid infrastructure, and both internal and external software (Span et al., 2018). Innovative
processes and systems have added complexity to information security. When you add factors such as the velocity,
volume, and variety of data, it becomes apparent that organizations must change
the culture and focus of the organization to ensure security is a
priority. The mission of secure software
development is to develop quality software in a secure, expedient, interoperable,
and cost-effective manner.
Security
+ Development + Operation = DevSecOps
If your organization has embraced DevOps, transitioning
to DevSecOps will be a cultural shift, but the benefits are worth the effort (Jeganathan, 2019).
In DevOps, the goal is to deliver the product in a continuous integration
(CI) and continuous delivery (CD) manner. Security can hinder the success of
the CI/CD model if security not well integrated with DevOps. The goal of DevSecOps is to deliver secure software
at the speeds enjoyed by DevOps. Figure 1 is a conceptual model of DevSecOps.
Figure 1: DevSecOps Conceptual Model
OWASP Top Ten, SANS 25, and Threat
Intelligence
Secure
software development practices increase project costs and require more
resources, but it can be a lot less expensive than a data breach (Harris, 2020).
Strategies for proactive security include threat assessments, baked-in
security, and repetitive testing. CxSAST
is a tool that scans for all OWASP Top 10 and SANS 25 vulnerabilities (SAMATE, 2016).
Also, CxSAST checks for compliance with government regulations and
industry standards such as the Health Insurance Portability and Accountability
Act (HIPAA), the Motor Industry Software Reliability Association (MISRA), and
the Payment Card Industry Data Security Standard (PCI-DSS). The scans include customizable queries, and
the software has a low false-positive rate.
Before placing applications into production, the applications are
deployed to a staging platform for final vulnerability scans.
If
the threat landscape never changed, a risk assessment would be a static
process. In addition to known cyber
threats, new vulnerabilities are discovered on nearly a daily basis (Hazeyama et al., 2019; Sipper, 2020).
The reactionary approach creates a conundrum and is lacking the
robustness needed for digital asset protection.
Limited information technology (IT) budgets, unknown vulnerabilities,
and increasing complex attack surfaces restrict the addition of innovative
processes to protect data and reduce risk (Last, 2015).
Threat intelligence plays a vital role in preventing unauthorized access
(Harris, 2020).
Cyber intelligence analysts perform the role of identification of
potential threats and risk exposure. As
an organization grows or the industry changes, the organization may receive
unwanted attention from threat actors.
Threat intelligence includes technical research to watch trends,
monitoring malware repositories on the dark web/deep web, and analysis to be
able to predict future activities.
Unfortunately, advanced cyber threat intelligence activities are expensive,
and many organizations do not have adequate budgets for implementing cyber
threat intelligence. Given the cost
associated with threat intelligence, many organizations are outsourcing threat
intelligence activities to third-party vendors.
These services typically offer data feeds and Application Programming
Interfaces (APIs) and can reduce the cost of threat intelligence considerably.
References
Harris,
J. (2020). Proactive defense against future threats. Northcentral
University.
Hazeyama, A., Miyahara, H., Tanaka, T.,
Washizaki, H., Kaiya, H., Okubo, T., & Yoshioka, N. (2019). A system for
seamless support from security requirements analysis to security design using a
software security knowledge base. 2019 IEEE 27th International Requirements
Engineering Conference Workshops (REW), 134–140.
https://doi.org/10.1109/REW.2019.00029
Jeganathan, S. (2019). DevSecOps- a
systemic approach for secure software development. ISSA Journal, 17(11),
20–27.
Last, D. (2015). Using historical software
vulnerability data to forecast future vulnerabilities. 2015 Resilience Week
(RWS), 1–7. https://doi.org/10.1109/RWEEK.2015.7287429
SAMATE. (2016). Source Code Security
Analyzers—SAMATE.
https://samate.nist.gov/index.php/Source_Code_Security_Analyzers.html
Sipper, J. A. (2020). Cyber threat
intelligence and the cyber meta-reality and cyber microbiome. 2020
International Conference on Cyber Security and Protection of Digital Services
(Cyber Security), 1–5. https://doi.org/10.1109/CyberSecurity49315.2020.9138858
Span, M. T., Mailloux, L. O., R. Grimaila,
M., & Young, W. B. (2018). A systems security approach for requirements
analysis of complex cyber-physical systems. 2018 International Conference on
Cyber Security and Protection of Digital Services (Cyber Security), 1–8.
https://doi.org/10.1109/CyberSecPODS.2018.8560682
Stewart, J. M., Chapple, M., & Gibson,
D. (2013). CISSP Study Guide (7th ed.). John Wiley and Sons, Inc.
