ASG Technologies Vice President APAC Kaushik Bagchi shares his thoughts on why data and application security are high priorities for businesses due to the growing risks posed by theft and increasing government mandates to maintain and secure private information.
By Kaushik Bagchi
Singapore’s largest group of hospitals Singhealth, and its massive data breach in 2018, highlights the various risks organizations need to address to protect customer data.
Singaporean banks were also top targets of the Tinba v3 Trojan cybercriminals in 2015-2016, accounting for over a third (36%) of attacks, according to BMI Research.
Organizations need to be committed to application security for all external IT to protect data from breaches – and the business from the consequences of regulatory non-compliance. Issues such as the 2017 WannaCry attack that was found to have affected machines running an older version of the Windows operating system shows how hundreds of thousands of global systems can be compromised by unsecured software. This effort to secure data includes using commercial software (managed on premises or in the cloud) that is delivered with no known vulnerabilities and continually tested and updated to address new threats as they are identified.
For developers, it’s imperative to meet the challenge of providing the secure software customers need to fuel security initiatives and prevent data loss. The Singapore Airlines data breach earlier this year triggered by a bug that surfaced after the company made changes to its website underscores this point.
The key to meeting this need is to implement a development lifecycle that assesses risks, models threats and solutions through design reviews, and tests software security in static and dynamic situations. These development processes should also be kept up to date by adopting agile techniques, implementing collaborative development tools, moving to standardized techniques such as the RESTful API, adopting common accessible user experience models and lastly, developing and reusing common components.
Software developers should also considering adopting a secure systems development lifecycle (SDLC), which treats security as a core part of software development, rather than an afterthought . An automated process such as a SDLC ensures that security processes cannot be bypassed while products are built, making it more likely to identify flaws before the product is released.
There is no advantage in cutting corners. Developers need to adopt best-of-breed software test tools and methods to confirm that new software releases meet the security standards customers need.
To ensure this happens, your processes should include a highly-trained and knowledgeable development community.
Teams may be structured to include a designated Security Task Force comprised of individuals from various parts of the organization (e.g., Dev and Quality Assurance) to mentor and ensure security guidelines are followed. This task force can also collaborate with the broader security team to perform threat modelling exercises on each release.
Identification and scanning of all third-party code, for security vulnerabilities is also necessary.
Many software breaches happen when organisations use third-party codes that are common to many products but that also carry flaws. To eliminate this possible threat, code repositories should be scanned to identify libraries that are either severely outdated, have conflicting licensing terms or have security flaws identified by the community. Products should not be released if any of these conditions are identified.
In addition, automatic scanning of the organisation’s source code to identify incorrect security practices and alert the developers. The organization and its developers benefit by increasing knowledge of secure development best practices and by fixing potential security threats in the future. Companies should consider taking this step when new code is committed (real-time security) and when products are automatically built to provide rapid feedback and correction.
Ensure that there is a sound execution of an automated Quality Assurance cycle to search for security flaws. During this essential phase, all product transactions can be monitored and analysed for issues.
Your security team should also carry out intensive penetrative testing. All products should receive this crucial testing by the internal security team using a combination of tooling and their own knowledge prior to release.
Reputable, trustworthy software developer organizations will seek to engineer application security into its products and test continually along the path to delivery through operation. Automated processes will help guarantee that security will not be overlooked. Customers should expect secure software from their vendors, and a process like the one detailed above will help to identify and address vulnerabilities so those customer demands can be met.
(Ed. Prior to his current role at ASG, Kaushik Bagchi says he has over 24 years of sales management experience in the IT space. He says he was instrumental in driving the Information management growth for IBM software in India and handled the integration of companies like Datastage, Filenet and Cognos. Bagchi also says he was instrumental in building the SAP cloud platform business for India.)