Best Practices on Security and Governance in Software development and operation

Think of a famous shopping mall that you love to visit now and then. Recently you realized that it has become a thoroughfare i.e., there are no checks, and anyone or everyone can get into it without any security check. Suddenly there is an attack and now everyone inside the mall is at risk whether it is a seller or a buyer or just a person who has come to enjoy it. Visiting the mall has become a risky affair. Threats to life, property, and business would be imminent.

Let me correlate this security aspect of a shopping mall to that of a software platform. Any platform has several consumers and producers, each having sensitive information. Each would participate or engage in a transaction. If the platform is attacked by any kind of malware or a DDoS or any malicious agent who gathers sensitive information, it would cause huge chaos along with loss of money. This in turn would mean a loss of trust in the platform and an eventual loss of business. Hence the requirement is to regulate security and governance on any platform.

When I pursued my certification in MS Azure fundamentals, I noted that Microsoft had dedicated an entire section to Security and Governance. This illustrates how important it is to ensure that the two are under control.

Following is a list of practices that can be implemented to ensure that the software is secure:

Implementing a security framework: Frameworks like ISO27001 and SOC2 outline policies, procedures, controls that must be in organizations to protect the information on the software, and the software itself.

Adopting DevSecOps: Building codes keeping in mind the security of the end product requires a shift in mindset from the general DevOps practices which primarily result in accelerated integration and delivery.

Including Security requirements as part of the backlog: Security requirements of the final product should be part of the product backlog so that developers have a sense of requirements right from the start of the development. Establishing a mindset is an important aspect of building a security culture within the team.

Threat Modelling: Typically done during the design stage, threat modelling helps developers identify areas of vulnerability of a new application/product/platform and take decisions accordingly for creating solutions that counter those vulnerabilities. The more the process moves towards the right (progresses) in the Product/Platform Development Life Cycle, the more difficult and expensive it becomes to manage the issues. Hence, it is even more important to identify threats during the initiation of the process.

Conducting regular security assessments and penetration testing: Implementation of security frameworks as mentioned above is necessary, but it is also important to ensure that implemented steps are tested regularly to prevent any incident.

To test the systems, a penetration test can be used. Also called a pen test, it is an authorized simulated attack on a computer system to identify security vulnerabilities. It can also help build evaluation reports and remedial actions for the identified weaknesses. A major difference between threat modelling and a pentest is that the former helps identify design flaws while the latter identifies bugs in the system.

Implementing access controls: Access controls, such as authentication, authorization, and least privilege, can help ensure that only authorized users can access the product/platform and its data. While authentication and authorization sound similar, there is a difference between the two. Authentication is the process of verifying the user is who they are saying they are, while Authorization determines whether a user can access a particular resource. E.g., in a residential society, authentication would mean identifying whether a person is a resident or not, while authorization would mean that the person is allowed to enter only his/her home, not someone else’s.

The principle of least access means the number of people and the number of accessible areas must be kept at a minimum to ensure minimum exposure to risks.

Encrypting data: Encrypting sensitive data, both at rest and in transit, can help protect it from unauthorized access and disclosure. Data encryption process by which a readable message is converted to an unreadable form to prevent unauthorized parties from reading it.

Managing third-party access: There are several vendors accessing any organization’s assets at any time. This can be physical access like building maintenance, contractors, and consultants, or could be software access through a remote connection to any vendor to support the organization.  A few software risks here could include not logging out after work is done, not using strong passwords, and getting access to more resources than required by the vendor. Any negative actor could use such loopholes to threaten the organization. Hence the need to tightly control third-party access and manage security.

Continuously monitoring and logging: Several software products offer continuous checks for anomalies and report them immediately. This helps in responding to them in a timely fashion.

Having an incident response plan: Now that you are monitoring activities continuously and you encounter an incident, what do you do? Hence, having an incident response plan in place can help you respond quickly and effectively in such an event. Also, this is a mandatory requirement if one goes for Information Security and Management system evaluation/certification.

Regularly reviewing and updating policies and procedures: Over time, old policies and procedures become legacy and malicious actors can exploit loopholes in such policies. As such, it is important to review and update policies and procedures periodically/need-based so that they remain effective and aligned with the organization’s goals and objectives.

Providing security awareness training: Providing security awareness training to employees, and other users help ensure that they are aware of security risks that can arise and how to respond in case any such event occurs.

Governance on the other end are practices adopted by organizations to keep different processes within the organization in alignment with its vision, yet confirming the different regulations of the land.

Governance comes from the top-down encouraging ethics and transparency in the workings of the organization. A good governance model favours collaboration, trust, and creativity.

The following best practices can be used to ensure governance control in your organization:

Compliance with regulations and standards: Organizations should comply with relevant regulations and standards such as GDPR, CCPA, HIPAA, and PCI DSS. Business and IT processes within the organization should be compliant with the respective regulations.

Strict control over remote work policies:

A large chunk of IT employees prefers to work from home today. While organizations have changed their strategy to manage such a workforce, it is important to ensure that the data that was earlier secured in their internal servers is still safe in the designated cloud storage. Policies that keep a check on the appropriate cloud usage are a must.

Decision Control

During the operations, it must be decided how much control is given to third-party developers to ensure that innovation is not stifled, nor that the control is lost from the product/platform owner’s hands. This is also required to ensure that the accountability of different participants is ensured in case of any untoward incident.

At coMakeIT, we incorporate all the above practices to ensure the products and platforms we build for our clients stand the test of security as well as governance. If you wish to learn more about how we make our products great as well as secure, feel free to reach us.