Integrate Security Practices
As the cost of the insecurity of our applications and environment grows more evident by the day, we are all getting nervous about the one big question: Are we doing everything we should mitigate the risk? The answer for most of us is a resounding “no,”. And the fix is also both more straightforward and more complicated than we would like to admit. This is for one basic reason: Security cannot be bolted on as effectively as it can be.
We’ve already done a lot of hard work to integrate operations into our development process and vice versa, and this is the perfect place to know security awareness and practice into the process from beginning to end.
Here are some practices to get started:
- Culture starts at the top
There is an organizational commitment to the top to dedicate time, money, and other resources to security awareness in every action of your team take. That’s not a severe case to make; keep bringing out the headlines about high-profile security, data, and the associated costs in liability and brand damage. Everyone must be aware of the potentially catastrophic damage security breaches can inflict on the entire business.
The pressure to get projects on time can produce shortcuts even for organizations that generally do the right things—and this is when security awareness at the highest level will pay off, giving you that extra to think through security or allowing you to pause deployments for penetration testing. If short-term thinking dominates the cost or benefits, risk, or rewards analysis every time, you are going to have a hard time. The first and most important best practice is to get your executives on board.
- Security awareness in Development begins on Day One
The tenure of every developer and operations should start with security training that covers the basics of secure coding and the most common exploit vectors. Your presentation of this information is an organisationally priority security mindfulness. Get your most senior developers trained and task them with producing the training courses. The courses that include secure coding practices and the most common security mistakes. Not only this give them ownership of security for the juniors. But it also forced them to think through these issues. This is critically essential. Why? Because those senior developers are your most important allies when you’re in the grime and grit of daily commits, reviews, and deploys.
Training should be revisited multiple times per year, increasing complexity as your team’s sophistication on the subject grows.
- Keep your security processes clear and minimal, but forceful
The level and adequate kinds of authentication shouldn’t be left to guesswork and on-the-spot decision making under the gun of a deadline. Work out with teams exactly what minimal levels of encryption keys, ciphers, and password complexity. These are acceptable for your use cases. But don’t go overboard with verbosity or trying to hit every possible corner case. Your people should know when they hit a possible exception for which additional discussion is required. If you can’t trust them to understand that, call your hiring process into question.
You should have a WISP (written information security plan), a DIRP (data incident response plan). And also, any other procedure documents that are called in your industry or regulatory. The goal should keep them as concise and straightforward as possible—simple enough to keep all of it all the time. When they are more than a couple of pages apiece on average, they become worse than useless; they become obstacles, a reason that the next best practice explains.
- Make it simple
Complexity is the enemy not only of security; but of reliability, predictability, and operational efficiency as well. You should have one solution per problem. You don’t need to support, patching, and tuning five brands of the database, but one will do. Cultivating deep expertise in the small lists of tools and environments of your teams. Especially in bringing the economies of scale and efficiencies that are lost when you have to be a jack of all trades supporting the multiple platforms.
- You don’t know anything until you test it
You believe you can fly and having that delusion persist until the moment you jump off of the roof. And you thought the same about your code and didn’t learn differently until you released it into the wild. Do penetration testing and review your code. I prefer to do a rolling code review as part of the deploy process as well as a periodic deeper dive. Also, to have the inside staff to rolling pen testing, supplemented by occasionally paying outside firms to give us a go. To motivate your team, pay them a bonus per legitimate issue they find. Doing all of the above may seem over the top for your organization, you have to be doing at least some subset.
EVERY BUSINESS IS TECHNOLOGY BUSINESS
It has become clear that all the business is now a cyber-business and that no business is too small to be a target. Also, not doing everything you can in the security into your process is as good as negligence. Data will have IT staff answering to executives, executives answering to the board, the board answering to shareholders, and the entire business answering the consumer and the customer, both in court and in the market. We should be proactively about voicing the importance of security, and advocating before that happens. We do this so that we don’t wind up after the fact of answering why we didn’t.