Sunday, April 3, 2022

How to build a culture of security with software security best practices


The application security landscape is constantly changing, and with the increased frequency of software application breaches in recent years, it's crucial that companies are able to protect their applications and software development life cycle from cyberattacks. In this blog post we'll discuss 8 essential web application security practices for software companies who've raised funding - or soon will be!

Unless you were living under a rock you probably heard that hackers stepped up their activity levels during COVID-19 ramping up the security implications for software development teams like yours.

While some big brands suffered security breaches, our experience tells us that the largest cohort to suffer at the hands of hackers were small to medium size companies, particularly those software companies that recently completed funding rounds.

Woryingly, most SME SaaS companies have no way of knowing if and when their current security controls have been breached. They have not set up mechanisms to receive alerts about security incidents, which leads to alarming stats like this:

Software security best-practices for SaaS companies

These stats are not just great fodder for clickbait media, but they also point to the reason why so many software companies are completely blind to their application security risks.

The primary reason for this is that SME organisations simply don't put in place and enforce web app security best practices to the same level as their larger counterparts - and they suffer as a result. 

You don't know what you don't know - and this is a problem in securing your software


What was most concerning to some of our SME clients was not so much knowing that a breach was around the corner, but that they had no way of figuring if and when they had been breached. 

This unknown is especially worrying if you sell your cloud software or web application for others to use, particularly if you sell to enterprises.

This is because attackers see your application as an easy way to breach your enterprise customers, through what is commonly known as a "supply chain attack". 

Enterprises that you sell to are worried about supply chain attacks. Specifically, your enterprise customers are worried about their data and assets being leaked or stolen by hackers who gain access to your systems.

In order to protect what's theirs, your enterprise customers want to see not just a web app penetration test report, but a methodical and robust process application security process that is founded on software security best practices.

Think of this new security assessment practice as an integral component of proving your "SaaS' enterprise-readiness" that also helps you implement software security best practices.

How can I improve software security?

The list of activities that you could undertake is literally endless. The Australian Cyber Security Centre publishes a set of standards that government departments are required to follow (whether they do or not is a completely different issue!) and it is a worthwhile read.

It includes common sense software security guidelines like:

  • Development, testing and production environments are segregated.
  • Data from production environments is not used in a development or testing environment unless the environment is secured to the same level as the production environment.
  • Secure-by-design principles and secure programming practices are used as part of application development.
  • Web apps are robustly tested for security vulnerabilities by software developers, as well as independent parties, prior to their initial release and following any maintenance activities.
  • Security vulnerabilities identified in web apps are resolved by software developers (kinda obvious, no?!).
How to minimise the damage from a SaaS hacking attack

But you're here because you've just raised funding, or are about to raise funding. You know that malicious activity against your environments are going to increase. So you you need something to level up your security posture, to minimise the security risks of your SaaS, beyond just the bleeding obvious.

You need actionable steps that have improved the security posture for other fast-growing software companies, right?

So the first thing you need to do is change your mindset around software security: you will be breached, if you haven't already been, and it's your job to make the breach as minimally damaging as possible.

How?

Well you're in luck! There is a simple and effective 8-step process that you can follow to ensure that your web application has high levels of security resilience, starting from your softwre development life cycle. 

These 8 steps are part of our "building a culture of application security in your software development teams" program. You'll see that each step is designed to improve you and your development team's understanding of web application security best-practices, your security policies and, ultimately, your security posture. 

So while you may get some benefit from practicing any one of the 8 steps in isolation, you'll get best bang for buck by following the process from start to finish. 

Step 1: Understand and document your cloud assets and their usage

Understand how your application is interacting with cloud services, including those that you manage and operate yourself as well as a subset of third party vendors from whom you receive data on behalf of users or which store application assets such as customer information. 

Documenting your use will help to identify: who has access to what resources, where vulnerabilities exist and whether these are adequately managed by your IAM policies. 

This information is what you would document in a document akin to a software bill of materials.

The understanding you gain through this step will then form the foundation for improved and secure software development practices at both an organisational level and within your individual software development teams.

Best-practice security for your cloud assets become even more critical if you employ highly automated deployment pipelines using DevOps or CICD principles. This is because  any security vulnerability in your pipelines can lead to much easier, faster and potentially unrecognisable downstream attacks.

Intelligence gathering is a critical application security best-practice as the first step, because it helps you achieve more in the following steps.

Want my team to help you secure your cloud assets?

Step 2: Apply data protection policies

Data protection policies are fundamental to application security as they  provide a framework for data access and usage. They also form the basis of compliance with data privacy laws around the world like GDPR or CCPA.

Make sure you have clear procedures in place that govern how application developers, testers, analysts and other personnel can access your sensitive user information.

This is especially important if there is more than one team involved in coding or testing a web app or mobile app on its way through the software development lifecycle (SDLC). 

These examples should be detailed so that everyone understands what level of privileges they will require when accessing such resources within your organisation's infrastructure, cloud environment or third-party SaaS product.

Step 3: Encrypt data in transit and at rest with your own keys

If your application is transmitting unencrypted user personal information (PII) over the internet, it's a prime target for hackers because it's not following secure software development practices.

Remember, sensitive data is not just limited to PII. Sensitive data for the pruproses of your security requirements is any thing that your users value and do not want unauthorised parties to see.

Do you want my team to perform a quick vulnerability assessment of your web app?

This step is necessary even if your web application collects only basic contact data and doesn't contain sensitive or private information. Any application that collects customer data should encrypt all of its traffic to ensure secure transmission. 

This means applying TLS 1.2 or 1.3 alongside SSL encryption on both sides of an application-server connection with SSL certificates issued by reputable certificate issuers so they're trusted by browsers and other clients. 

Did you know that you can test your application's HTTP security headers and SSL configuration for free?

When encrypting data at rest don't forget unstructured data stores such as AWS' S3 buckets. We've found that engineering teams often forget to encrypt and secure S3 buckets leaving their environments very vulnerable to attack. 

In case you're still wondering: SSL is a start, but alone, without end-to-end encryption, it is not enough.

Step 4: Design and implement cloud data deletion policies

The application security practice of data deletion is often overlooked until it's too late, even though most software teams work very hard to comply with data storage and protection policies (see Step 2 above). 

As a cloud software company building secure software development habits, you should be able to determine your own policies for how long you need certain types of application-generated data and then implement a software system or process to delete this data on an ongoing basis, as needed. 

As a software vendor that uses cloud storage services, you must implement guidelines to securely delete files from databases and S3 buckets after 45 days (or a length of time that is logical for your industry) worth of application inactivity.

In fact, in order to comply with GDPR and CCPA you must offer your secure software application's users the ability to delete the data that you hold for them and about them. 

Step 5: Train your engineering and non-engineering teams on cloud security best-practices

Our cloud and DevOps audit service also provides application security training programs for your developers and non-developers. 

The program will have a variety of topics, including web application development with secure coding practices, application deployment methods that maximize security (such as OWASP), cloud application security best practices, storage encryption techniques, IoT device risk mitigation strategies - and more. 

Remember, training in cloud security best-practices should not be a one-off exercise. To implement a truly secure process you must continuously train and offer skill/knowledge enhancement opportunities to your team.

Step 6: Implement dynamic vulnerability scanning

There are two types of automated vulnerability scanning: static (SAST scanning) and dynamic (DAST scanning). Contrary to popular belief they are NOT substitutes and you actually need to use them together.

Software security best practices for the best software companies
If you have a choice of two things and can't decide, take both.
Gregory Corso

Static scans actually read your code to find known vulnerabilities, where as dynamic vulnerability scanning tools conduct automated penetration tests on your application, much like a hacker might. 

Vulnerability scans or automated penetration tests should be conducted every time you push new code to any of your environments. Yes, ANY of your environments. 

After all, you don't want hackers injecting malicious code into your application through your staging environment only because you focused all your security activities on prod, do you?

Most automated penetration testing tools are not user-friendly and most are not designed to be used by software development teams. Cyber Chief is a powerful, user-friendly automated penetration testing tool and provides secure software development teams with easy-to-understand, best-practice fixes for the vulnerabilities that it identifies - get your free trial here and see if it will help your team.

Step 7: Conduct at least 2 grey-box penetration tests every year

Penetration tests are not always cheap but they are invaluable in actually doing a deep dive into your application and cloud infrastructure's security resilience

If you only ship new code for your application a few times a year, one grey-box penetration test should suffice. 

But if you're like most growing cloud software companies and you're shipping code daily/weekly/fortnightly, you should seriously consider conducting at least two grey-box penetration tests annually. In this case a pentesting-as-a-service solution might be a more suitable option for you.

The reason for this is that your application and codebase is changing so quickly that your pen test results may quickly be invalidated if your penetration testing services company conducting annual penetration tests.

Before you disregard this suggestion because you think penetration tests are too expensive, read this to find how you can reduce your penetration testing costs for web and mobile apps.

Want my team to implement a turnkey application security structure for you?

Step 8: Become ISO 27001 and/or SOC 2 certified to signal your compliance with software security best practices

If your organisation really is looking to level up your cloud software security practices, then these certifications are no-brainer. They really are the bedrock of secure software development processes that build trust.

As a business, you're not only compliant with the security standards set out in ISO 27001 and SOC 2, but also able to demonstrate trustworthiness from an auditing perspective. 

ISO 27001 is recognised as providing reliable protection for your application against cyberattacks and vulnerabilities of all types (physical access, data theft or loss). ISO 27001 is almost the default security accreditation around the world, excluding North America.

SOC 2 certification on the other hand provides assurance that your organisation's management system has been assessed by an independent audit organisation for compliance with recognised international code of best practice. SOC 2 certification is highly regarded if you predominantly do business in North America.

If you're going to implement step 7, then choose an external pen test partner who has helped other fast-growing cloud software companies pass their certifications with ISO 27001-compliant penetration tests and/or SOC 2-compliant penetration tests.

Software security best practices for the best software companies
Knowing is not enough; we must apply. Willing is not enough; we must do.
Johann Wolfgang Von Goeth, German poet, playwright, novelist, scientist & statesman

These certifications are particularly crucial if you want enterprise customers to belive that you're selling secure software. Because enterprise customers care care a lot about software security and these accreditations are a great way to prove that your cloud software company is enterprise-ready!

How should you implement these software security measures?

As a company that has just raised money or will soon be announcing a new funding round, you will automatically become a target for hackers who want a share of your company's newly inflated bank balance.

That's why it pays to secure software and your software development process before you announce.

If you want to protect your company's future growth, make application security a priority. Invest in implementing these 8 steps before raising money or investors will walk away from the deal at the first sign that you're application or cloud infrastructure is vulnerable to a cyber attack.

After all, your investors want you to spend their money on growth, not on paying hackers' ransoms because secure software wasn't a priority for their investees!


SaaS Brief