In January 2023, the U.K. Royal Mail got hit by ransomware, forcing the company to stop sending letters and parcels overseas. Although initiated by a phishing attack, this incident could have been avoided if the company had implemented robust authentication measures across all its services. But instead, they had legacy systems in place – and there is nothing more vulnerable than legacy technology.
Today every organization, big and small, faces security challenges. To overcome these challenges, it’s not enough to teach your employees to be careful and avoid clicking on suspicious links. Security needs to be an integral element of your SDLC (Software Development Lifecycle).
In this article, we’ll talk about what secure SDLC is and offer 6 security best practices supported by examples from our experience.
What is the Secure Software Development Lifecycle (SSDLC)?
Secure Software Development Lifecycle is a systematic approach to integrating security into the software development process, often achieved by adopting a security-by-design practice. Rather than treating security as an add-on at later stages, development teams take a proactive approach and integrate security from the very start.
By identifying and mitigating security risks early in the development process, development teams can reduce the likelihood of security vulnerabilities and breaches in the final product.
At Modeso, we start our development process with security in mind, meaning we define security risks yet at the requirements stage to protect our clients’ data and avoid reputational risks. This is how we build software that is resilient and secure – as demonstrated in our recent projects.
Taking security risks into account is a must-have in software development. But what risks are we talking about?
The most common security risks to look out for
Insecure data storage, low-quality code, outdated infrastructure, and the list goes on. The way your software is built often determines whether it will suffer from vulnerabilities and let in threats. Here are the most common security risks we often come across in our work:
Legacy software
Outdated technology, lack of support, insecure code, compliance issues, and limited integration ‒ that’s what we call a classic legacy software system. So it doesn’t come as a surprise that it’s an easy target for security threats. The same can be said about software lacking regular maintenance ‒ such systems are also in danger of being attacked.
Poorly written code
When code lacks clarity, organization, and adherence to the best practices such as input validation, output encoding, error handling, and more, it becomes more prone to security vulnerabilities and flaws.
Insecure authentication and authorization mechanisms
Weak authentication practices, such as inadequate password policies or storing credentials improperly, open the path for hackers to gain unauthorized access to sensitive data or functionalities.
Vulnerable third-party services
If your software requires third-party integrations, it’s necessary to evaluate how secure these third parties are. Their flaws might serve as an entry point for attackers to gain access to your sensitive data.
Insecure storage
When data is stored insecurely, it becomes vulnerable to unauthorized access, manipulation, or theft by malicious actors. What’s more, it can lead to compliance violations resulting in severe penalties, fines, and legal consequences for an organization.
Core principles to secure your data
To mitigate security risks for our clients and safeguard their sensitive data, we set up a secure SDLC characterized by the following practices:
Practice 1: Follow OWASP standards
OWASP, or Open Web Application Security Project, is a non-profit foundation that provides free tools and documentation to build and maintain secure web applications. Its resources include OWASP API Security Top 10, a comprehensive guide that assists developers and organizations in prioritizing security measures and mitigating the most impactful security risks of application programming interfaces. Here’s the 2023 update of OWASP API Security Top 10:
API Security Top 10 2023 |
API1:2023 – Broken Object Level Authorization |
API2:2023 – Broken Authentication |
API3:2023 – Broken Object Property Level Authorization |
API4:2023 – Unrestricted Resource Consumption |
API5:2023 – Broken Function Level Authorization |
API6:2023 – Unrestricted Access to Sensitive Business Flows |
API7:2023 – Server Side Request Forgery |
API8:2023 – Security Misconfiguration |
API9:2023 – Improper Inventory Management |
API10:2023 – Unsafe Consumption of APIs |
For a better understanding, let’s look closer at one of the risks outlined ‒ Broken Authentication. OWASP provides a comprehensive overview of the vulnerability itself, including ways to prevent it, threat agents, security weaknesses, impacts, example attack scenarios, and more. By thoroughly examining the risk, developers can adopt proactive measures to mitigate its impact during the development process.
Now, let’s see how prioritizing security standards was put into action in our collaboration with Würth Financial Services, Switzerland’s leading insurance broker, and TWINT, the most popular payment app in the country.
We joined the project to help develop Insurhub – an app that aggregates insurance products from various providers and offers them to private clients through the TWINT app.
Security was a top priority for Insurhub, given the sensitive nature of payment information and user data. To protect sensitive information, we used encryption and stringent access controls to ensure that unauthorized access is prevented, while our code changes underwent thorough review processes to maintain integrity.
Practice 2: Perform penetration tests for systems dealing with sensitive data
Penetration testing, or simply pen testing, involves simulating real-world cyberattacks on a computer system, network, or application to identify vulnerabilities and weaknesses. By testing the security measures implemented in the software, pen testing evaluates their effectiveness in mitigating cyber threats and protecting data assets.
Not every project requires penetration testing. It’s more common in fintech and medtech where sensitive user data is at stake. Because penetration testing requires specialized expertise in place, we usually engage a reliable third-party partner to conduct it for our clients.
When working with TWINT on three other projects ‒ Digital Voucher, Super Deals, and Storefinder – our security measures included penetration tests. To identify potential security vulnerabilities, our partners conducted tests covering a range of aspects, including network configurations, application vulnerabilities, and user access controls.
Practice 3: Choose a secure integration strategy
To mitigate risks associated with connecting disparate systems, applications, or networks, it’s essential to choose a secure integration strategy. It ensures that sensitive data transferred between systems remains protected from unauthorized access or interception. Organizations can safeguard data integrity and confidentiality by implementing encryption, access controls, and secure communication protocols.
We always have contractual obligations with third-party systems or services we integrate with, so such integrations are unlikely to pose any threats. We also implement authentication mechanisms like token-based and permission-based authentication to protect valuable data and secure its transfer. To identify vulnerabilities in dependencies, we use Dependabot. It scans the default branch of the repository to detect insecure dependencies and sends alerts so that a package is updated to a secure version or replaced with a secure alternative.
While integration partners may not always pose a threat, there are situations where risks may come from the company’s internal legacy systems. This is often the case in projects requiring the modernization of existing software while maintaining necessary integrations with legacy systems.
For example, in our collaboration with Albin Kistler, a prominent wealth manager in Switzerland, we needed to rebuild their custom-made database into a modern platform for investment portfolio analysis. The existing system relied on the outdated infrastructure which posed, among other things, security vulnerabilities. To eliminate security risks, we hosted the platform on a private cloud and implemented robust data validation measures when migrating data from the legacy system to the newly implemented solution.
Practice 4: Secure data storage
The data storage you choose plays a crucial role in safeguarding against data breaches and unauthorized access. Implementing secure data storage involves employing encryption techniques to protect data both at rest and in transit. Access controls and authentication mechanisms should be established to restrict unauthorized access to stored data. Regular data backups and disaster recovery plans should also be in place to mitigate the impact of potential data loss incidents.
Choosing reputable hosting providers with robust security measures and compliance certifications, such as AWS and GCP, can further enhance data protection efforts.
When considering where to host data, it’s crucial to prioritize locations that offer added legal and regulatory protections. Typically, we opt for GCP and AWS as our cloud providers. Given that most of our clients are situated in Switzerland, we store their data in data centers located within the country.
Practice 5: Access control and permissions
Limiting access to critical assets means controlling who can reach sensitive data or important systems. Let’s say your system has three user roles ‒ an administrator, manager, and employee. An administrator has full access to all system resources, settings, and functionalities, while a manager can access solely system resources and data related to their department. An employee, in turn, has access only to essential tools, applications, and data required to perform their direct job responsibilities.
To confirm someone’s identity before letting them in, developers usually use methods like passwords, biometrics, or multi-factor authentication. This way, they keep valuable data safe and make sure it stays private and accessible only to those who should have it.
We implement permission-based access control on almost every project we work with. One example is our collaboration with Rietman & Partner, a Swiss auditor and tax consultant.
Here we needed to develop a custom system that streamlines the company’s auditing procedures. The core functionality of the system revolves around a set of rules governing the audit workflow. To safeguard data privacy and integrity, we established access controls where different user roles, such as auditors and lead auditors, can be allocated specific permissions for visibility and editing privileges, ensuring users engage solely with data relevant to their responsibilities.
Practice 6: Automate security with DevSecOps
To ensure the continuous delivery of secure software, you can integrate security practices into your DevOps workflow. This practice is called DevSecOps, and it’s a great way to automate security processes throughout your software development lifecycle. It allows you to identify and remediate security vulnerabilities more efficiently.
DevSecOps includes incorporating security checks and tests into the CI/CD pipeline, such as static code analysis, vulnerability scanning, and automated penetration testing. Automated security tools can enforce compliance with security policies and standards, ensuring that security is not overlooked during the development process.
By adopting DevSecOps practices, software development teams can proactively address security concerns while maintaining the agility and speed of the DevOps approach.
Develop secure software with Modeso
In conclusion, developing secure software requires a holistic approach that prioritizes security throughout the SDLC. By adhering to best practices and leveraging our expertise at Modeso, you can ensure that your software remains resilient and protected against evolving security threats. Contact us if you’re interested in building scalable and secure custom applications in line with security best practices.