Celebrating CyberResilience Week and today's CBI Cyber Security Conference we have pulled together a short series of tips to help non-technical specialists start thinking about the issues of cyber security in their software development projects.
1. When scoping new software, remember to consider the potential for malicious attack
At the outset of any new software product development, enthusiasm can sometimes lead teams to forget about the downsides of their exciting new product. Even simple web features like enquiry forms and file upload facilities can be fraught with security challenges, so remember to take time, for each new feature you think about adding, to consider the potential it creates for malicious attack (“increasing the attack surface”) and to think of ways you could address the risks.
2. When specifying new software, don't forget to include your CyberSecurity requirements
Once the project is ready to specify the detailed functionality you need (in Agile development methodologies this stage is usually documented as Features, Epics and User Stories), it is easy to focus on the user requirements and to forget about non-functional requirements (NFRs) such as resilience, performance, privacy and security. Defining appropriate NFRs is a critical step for ensuring that your development team remember to implement the appropriate measures in their code and software architectures.
3. Talk to your software or web developer about how they build resilience
Once your software is running, your user teams will be responsible day-to-day for running and using the software. So it’s important that users understand the cybersecurity measures that are being implemented and why they are important. A classic and simple example: you spent time and money to carefully create a web-based service that obscures team email addresses in an effort to reduce phishing attacks. Then in a well-intentioned content marketing initiative, the Finance Director’s email address is published as a key contact. Educating your users will help to minimise issues like these.
4. Building for cloud isn't more (or less) secure, but it does need different thinking
Cloud-based software development takes advantage of different architectures to build software that works at scale. This can make implementing security more complex but the end result can be at least as, if not more, secure than an on-premise solution. Cloud platforms such as AWS talk openly about a shared responsibility model and the difference between security IN the cloud and the security OF the cloud. Different thinking, and therefore different skills, may be required from a “traditional” development approach.
5. When acceptance testing new software, test its resilience too, not just features
When your developer hands over code for acceptance testing, remember to consider not just the user functionality but also the resilience, security and privacy features you need. Even testing with a few basic SQL injection tests (see here for a basic primer on this) would be better than ignoring the issue completely. For larger projects you should probably consider specialist testing resources.
6. Post go-live, remember your new Software needs love & care to maintain resilience
“The world keeps turning” and even though you’ve not updated your software, the third-party components your software relies on have probably been updated for performance and security reasons, and what’s more, the techniques used by the bad guys will also be developing over time. When you build your own software, you also need to remember that you have responsibility for maintaining that software over time to ensure that it continues to deliver the business value expected from it.
And a bonus:
7. Remember security for domain registrations and DNS
DNS security is a complex and technical issue, but at a more mundane level, it’s essential to remember to adequately secure your portfolio of domain registrations and access to the “control panels” that let you manage them. Some of the most basic phishing attempts are domain-related! Despite the (typically) insignificant financial value of domain registrations and renewal transactions, domains underpin almost every aspect of your online presence, and need to be managed with care. This is about more than intellectual property: it stretches to the world of cybersecurity and resilience. The starting point is to make sure your domain portfolio is known and documented, and you know who you should be contacting (or who you should be contacted by) when there is a query.
We hope you enjoyed our tips and found them useful. For more information please contact Cameron Leask on 0131 225 8199 or by email at email@example.com.
Cameron Leask is the Managing Director of Escrivo. With over 20 years of professional experience as a Chartered Accountant and Digital Business advisor, Cameron’s skillset spans the worlds of business and technology. He has worked on an extensive range of ecommerce platforms, digital projects and business systems, and with organisations of every size from owner-managed businesses to global enterprises.