• January 19, 2021

Tips for Building a Robust Secure Coding Program

Software code — whether it’s on mobile devices, personal computers, servers or mainframes — runs the risk of getting hacked. In turn, this can give hackers control of a device or application and lead to loss of user access, service and organizational secrets, and damage to the system. Although only 7 percent of software defects emerge from the coding phase, these defects can be costly and risky. Organizations, as well as individuals, need to understand the risks associated with unsecured coding practices to protect their IT infrastructure. In order to ensure that your code is protected from vulnerabilities and risk, we’ve outlined tips for building a robust secure coding program.

Secure by Design

Secure coding has to permeate your development process. It has to be integrated into every step of development and IT. If you implement it too early, it could cause too much interference. On the other hand, if you leave it too late, it can lead to costly remediation efforts. In fact, if it’s left too late and the product is already shipped, it could cost 100 times more to fix the security vulnerabilities. At Rocket, we try to focus on an appropriate level of security scanning throughout the entire development process. That way, coding is secure but the process isn’t overwhelming.

Threat Modeling

Throughout the application development process, it’s important to practice threat modeling. This involves identifying and prioritizing potential threats and security risks. For each application, you need to understand how it works within an ecosystem in order to analyze the risk and likelihood of various threats. Ensure that there are clear service-level agreements in place if you discover a vulnerability. These must be clearly communicated, understood, and adhered to, in case of a breach.

Perform Scans

Scanning your code is important, but there are many different performance scans that can be done. We recommend the following:

  • Software Composition Analysis: This scan is important for open-source applications as it provides an understanding of third party components, licenses, and other open-source security concerns. This can occur at various stages of the software development lifecycle (SDLC).
  • Static Application Security Testing (SAST): This is used to analyze source code or binaries for bad coding practices and vulnerabilities. It can also occur at various stages of the SDLC.
  • Dynamic Application Security Testing (DAST): This tool can analyze web applications and web services through the front-end for vulnerabilities and exploits. It usually occurs later in the SDLC process.

Access Control

A tried and true staple of information security is access control. This must be applied to all secure code. Start by considering who really needs access to the code. Do the developers from one team need access to the source code of another team? Then, establish limits to who has access to the source code and, if necessary, control who is escrowing your code.

Keeping it Simple

A final piece of advice? Don’t overcomplicate the process. Consider where you can reuse known and trusted components of the coding process. Use uniform components across a portfolio of applications to reduce vulnerabilities in software and enhance remediation. A secure program is incredibly necessary to protect from security breaches, but it can be easily done.

Adam Glick

Adam Glick 3 Posts

Adam is currently the Chief Information Security Officer for Rocket Software in Waltham, MA. Previously, he was the Vice President of Cyber Risk for Brown Brothers Harriman where he focused on program, policy, controls, threat intelligence, and incident response. Prior to this role, he was the Vice President of Information Technology and Information Security Officer for Century Bank for 5 years. His responsibilities included operationally managing all IT systems and all matters pertaining to information security, risk, policy and procedure. Adam is currently an adjunct professor at Boston College in the cybersecurity policy & governance program, and an adjunct professor of IT in the MBA program at the School of Business at Providence College. Prior to these roles he worked as a Security Engineer at Brown University and a Security Analyst at Providence College. He received both his undergraduate degree in education and his MBA from Providence College. Outside of the office, he is a car and technology enthusiast along with an avid reader, hiker, cyclist, and Brazilian Jiu-Jitsu practitioner.

0 Comments

Leave a Comment

Your email address will not be published. Required fields are marked *