It’s amazing to think that just 20 years ago we thought of smart devices as a dream on the horizon, and today, everything from smartphones and watches to refrigerators and even doors have CPUs and share information over the network. But hey, we live in the world of the Internet of Things, so you might as well get used to it.
This level of interconnectivity has transformed our lives, in many ways for the better and some for the worse. One of the new challenges of the digital world is that connectivity can be exploited and information or systems that are meant to be private can be hijacked or stolen. You could say that for every door in our network there is a backdoor waiting to be found.
To be fair, hacking is not particularly new, and people finding bugs that can be exploited is a practice as old as the first computer.
But it is undeniable that there has been an increase in computer crime. One of the first studies on the subject predicted that by 2025 cybercrime would account for more than $10 trillion in losses worldwide, and so far the prediction has been too close for comfort.
Furthermore, with the rise in popularity of remote work, businesses must rely on connectivity to remain competitive in today’s marketplace. As such, it is paramount that their information and systems are protected from intrusion, and that is where security by design comes into play.
Two Approaches To Cybersecurity
Imagine someone breaks into your home and steals some valuables in the middle of the night. The next day you realize that someone picked the lock on your front door, so you decide to hire a locksmith to reinforce it with a stronger lock.
In this scenario, your awareness of your security is triggered by the fact that someone exploited a vulnerability in your security system. Up to this point, your door has been perfectly serviceable, so there was no reason to doubt its effectiveness.
Now, swap your house for one of your company’s systems, the lock for a security protocol and the locksmith for a cybersecurity consultant and you have what we call “reactive cybersecurity” on your hands.
It’s reactive in the sense that any changes you make to your system are made in response to an attack by an external agent. This is what commonly happens when a company becomes aware that there has been a data leak because it finds evidence of its databases posted on the web.
In contrast, proactive cybersecurity is the philosophy that security should be front and center in your development process, and that an important part of your project testing is to try to find vulnerabilities and exploits that could lead to security breaches.
No matter how thorough you are when creating software, there is always a chance that an exploit will be found in the future. It could be anything: an incorrect line of code, a slip in the architecture, a bug in an imported library or a backdoor in the original code, such as what happened with PHP.net.
In other words, no amount of proactive security will guarantee a bulletproof product, but it is undeniable that having a good security methodology will minimize the risks considerably.
Designing for Security
Security by design is an approach to software development that integrates cybersecurity best practices throughout the development lifecycle. It is proactive cybersecurity at its finest, embracing the idea that designing and updating your security systems is a never-ending process.
At the heart of this approach is the idea of continuous development. It implies that with each step of the development process, new systems are implemented and old systems are continually tested. Like agile, you want to fail hard and fail fast. The sooner an exploit is found, the faster it can be patched.
If the idea is to minimize bugs that compromise your security, then you need a set of guidelines and practices that help developers avoid those bugs and find them when you inevitably miss one. Here are some examples of how to adopt security by design:
- Trusted technology used: it’s hard to resist the temptation to use the latest trend for our development process, but there’s a reason why banks and governments are extremely slow to upgrade their systems: they rely on trusted technology that has stood the test of time.
“Trusted” doesn’t necessarily mean old, mind you. The longer something is on the market and the more popular it is, the more likely it is to attract the attention of cybercriminals. In this sense, by trusted we mean technology that has been tried and true, whose owners are open about their security practices and that your team knows inside out.
- Train your team: A team of developers who are aware of the threats and exploits found in similar projects will be more careful when creating software. In addition, many developers who are creative and very talented lack knowledge of security practices. As such, teaching them strategies such as the OWASP SbD principles is a win-win for them as professionals and for your business.
- Privacy front and center: GDPR changed the landscape of software development and has brought a more conscious approach to handling personal data. A best practice is to start from the idea that personal data is private and build your security around that notion.
Create security controls for accessing and sharing personal data, make sure the database is as isolated as possible, and keep access to a minimum.
- AI and manual checks: perform routine checks on your code, testing for potential vulnerabilities. There are excellent tools that can check code for bugs and exploits. Another approach is to have both internal testers and security consultants review the project to try to find potential security risks.
- Good design practices: spaghetti code, legacy technology and technical debt make projects more difficult to maintain and patch when a security breach is detected. Keeping your project clean and organized helps developers detect potential threats and fix vulnerabilities found in the future.
Why do you need security by design?
Patching a security risk is much easier and cheaper under controlled conditions when your development team can take the time to test different solutions and adjust them as needed until they are satisfied. Quite a different environment than when the team has to hastily fix a breach that may compromise your data and incur losses.
It is also easier to implement security controls and protocols on the fly than to wait until the end of development and then have to retroactively change code when a risk is found. In the end, security by design leads to faster design times and more robust solutions, which is one of the best ways we have to address cyber threats today.