This is part of an ongoing series of posts in which we’ll dive into the complexities and challenges facing modern SaaS platforms. We’ll also look at how we can leverage modern cloud architecture to keep our software safe, secure, and accessible.
In this blog post, Benny Olsson, CTO at Norce, will talk about the concept of “Secure by Design,” highlighting the benefits of a proactive stance on security and why it’s crucial in today’s digital landscape.
As cyberthreats grow ever more sophisticated it’s more important than ever to adopt a shift-left approach to security and invest in proactive security measures. The concept of Secure by Design emphasizes a proactive approach to software security and makes security a first-class citizen throughout the entire software development lifecycle. Integrating security into your entire software development lifecycle is called “Secure Software Development Lifecycle”, or S-SDLC for short. Secure by Design materializes in the S-SDLC as threat modeling, static analysis, and dedicated security testing.
Traditionally, security in web applications has often been more of an afterthought than something considered early in the design and development phase. It’s usually been the case that you design and implement a solution, often even deploy it to your production environment, before you do any security-oriented testing. I use testing in its most liberal form here since what tends to happen is that someone runs some form of automated penetration testing instead of testing based on application context and known risks. It’s not uncommon for that type of late-stage testing to reveal fundamental issues in the implementation, in which case you must either spend a lot of time and resources on addressing the issue or simply accept the risk and let the issue remain as-is.
These are exactly the types of problems and wasteful use of resources that a proactive stance on software security aims to address.
The easiest way to catch fundamental issues early on is to leverage existing processes and tools for threat modeling, risk assessment, and risk analysis during the design- and early development phases of your project. A good starting point is the STRIDE and DREAD threat modeling frameworks. Both originate from Microsoft’s internal security work. They walk stakeholders and developers through a step-by-step process that allows individuals with minimal experience in security to identify potential risks and let the stakeholders prioritize them based on impact scoring.
Catching fundamental security risks during the design phase allows you to take mitigating actions before any work is done on the implementation. It enhances security and reduces the risk taken on by your application with minimal effort. It’s also a considerably more cost-efficient way of working with security compared to an after-the-fact, reactive, approach, as identifying and mitigating issues before any code is written can often be done with little or no added cost to the budget or timeline. Finally, taking a proactive stance on security helps you gain trust in your community and with your customers. Additionally, it can often help reduce the threshold for compliance-related initiatives, be it for regulatory requirements or certifications such as ISO27001 or SOC2.
Integrating security into your existing development lifecycle should be considered mandatory in today’s cyber threat landscape. Whatever your role may be – product manager, developer, software architect or CTO – it’s crucial that you adopt a proactive mindset regarding security. There are a lot of resources out there and it’s easy to get overwhelmed, but starting small with reachable goals and clearly defined scopes will get you a long way – especially if you’re just getting started.
What are your thoughts on today’s cyber threat landscape, and would you agree that it’s our collective responsibility to take actions wherever we can?
In the next blog post, we’ll look at how Norce approach Secure by Design for Norce Commerce.