The importance of building security into system design from the outset
In the first half of 2019, there was a 54 percent increase in data breaches; big firms and small have contributed to those figures. This includes (breach size in brackets): Capital One (106 million), Suprema (27.8 million), and Facebook (419 million). We are now so accustomed to hearing about cybersecurity incidents that we are in danger of becoming desensitized. But every one of those exposed records represents an individual human being.
The modern business is up against a perfect storm of sophisticated cybercrime methods, stringent data protection legislation, and ensuring they retain customer trust. This is all within a climate of digital transformation, the technologies of which can give an organisation a competitive edge.
Any organisation would be forgiven for feeling like a rabbit in the headlights. But there is a way to have your digital cake and eat it. The discipline of ‘Secure by Design’ (SbD) is taking root in global organisations. By applying the principles of Secure by Design we give our businesses the ability to fight this perfect storm.
Here, we will take a deeper look into what Secure by Design means and share some tips on achieving it.
Back in the day, when the internet was but a twinkle in the eye of a server, security was much easier. The corporate firewall and antivirus software we used, worked well. It kept the malicious elements out; to propagate a virus across a network you had to do it using a floppy disk. Then the internet happened. It was like a dream come true for cybercriminals because it opened everything up. Email became the tool of choice of the cybercriminal. In fact, email is still a starting point for 90% of data breaches.
Fast forward to 2020. We now have hyper-connectivity via the Internet of Things (IoT), mobile devices and apps, and edge computing. Cloud computing is ubiquitous across companies of all sizes and industries. The human-computer interface is more complex than it has ever been. The data matrix is so vast and has so many touchpoints, that it effectively offers a data feast to anyone wishing to dip in.
To fit security into this complex matrix we have to be smart in our choices, we have to place security central to the design process itself. Security must be a design remit.
The previous use of endpoint solutions such as antivirus software is no longer enough to stem the flow of data as it moves across myriad devices and connected infrastructures.
Security is a holistic process. To retain control over the path of data, security must become an intrinsic aspect of a service or platform, from the human-touchpoint to the infrastructure it sits within.
The only way to achieve this is to make sure that Secure by Design is placed as a central tenet whenever you design a product, take on a new system, or become part of a larger ecosystem.
By using a Secure by Design approach, you can get security correct, from the start. A security-led design process will evolve into a Secure by Design end result. This will ultimately mitigate security threats and save a lot of hassle, and money, later on.
How do you add Secure by Design into the remit of a product or service? Firstly, Secure by Design is a process, not a point solution. It covers every aspect of the creation of a solution. The 5 tips below, give you a feel for using a Secure by Design process:
#1. Secure coding – The application of secure coding techniques is a fundamental part of making a system secure. Flaws in code lead to vulnerabilities which lead to cybersecurity incidents. Make sure the product you develop or the one you buy in is built using secure coding practices. Check out OWASP’s secure coding practices checklist.
#2. Embed the right protection – Protective measures can be used across all layers of a system. There are a number of areas to consider, this gives you a flavour of some of them:
#3. Keep it Simple Simon (KISS) – The first principle of security is KISS. Keep security as simple as possible; for example, only collect data you really need to collect, this reduces security overhead and help to meet the privacy principles of the General Data Protection Regulation (GDPR).
#4. Use the right protocols and implement them correctly – The tech industry has developed some excellent open standards that offer robust security when implemented correctly. For example, the standard protocol OAuth 2.0, has been developed using threat models and with security as a core consideration. Similarly, the JSON Web Token (JWT) has been designed to use digital signatures to maintain integrity during sessions. JWT can also help with resistance to Cross-Site Request Forgery (CSRF) attacks if implemented correctly.
#5. Use a security-enhanced interface – The human-computer touch-points can become a security gap if not properly designed. Good security starts with good usability, the balancing act needed for both is achievable with good design. It is often the simplest of UI ideas that can add the most security. For example, in the design of a credential recovery system, instead of revealing the existence of a live email account when account recovery is initiated, simply state that “If the account exists a reset link will be sent”. Similarly, don’t display your password policy on screen. If you let a cybercriminal know that your policy “must include a capital letter, a number, and a special character”, this will help them to create a more successful brute force attack. Instead, follow the advice from the United States National Institute for Standards and Technology (NIST) on the matter, this includes, do not use rules to force the creation of a password and do not have on-screen password hints.
Using a Secure by Design approach will give your organisation a fighting chance against the growing spectre of cybercrime. It may seem like a chore to design security in from the word go, but the alternative is to become part of the cybersecurity statistics. With Juniper Research predicting that data breaches will cost $5 trillion globally by 2024, it is worth the effort.
The design process and cybersecurity are intrinsically linked. To build the best software, you need to have a deep understanding of all aspects of security and where it should be applied. Don’t let your business become part of an analyst report on data breaches. Let us help you to ensure that your software is built to the principles of Secure by Design.
Under GDPR any data that can be linked to an individual is potentially under the watch of the legislation. In other words, if a snippet of b…
User Acceptance Testing (UAT), also known as End-User, Application or Beta Testing, is the final phase of the testing process ahead of relea…