reading time
Published at 18 / noviembre / 2020

Secure software development techniques

Secure software development techniques

What does this story sound like to you? You work as a developer in a software design and implementation project. Delivery times are tight and, consequently, a short period is foreseen to create the application, in which a large team is involved; and a long maintenance time, in which only two or three people will be dedicated to solving problems that arise later. Of course, with such draconian deadlines, for the project to go ahead, the superfluous is pruned. The consequences? Goodbye to secure software development practices, and hello to a future where new software will be fodder for cyberattacks.

Neglecting computer security in these processes is not silly. The report Cost of a Data Breach Report 2019 del Ponemon Institute para IBM stresses that curbing a data breach inflicts an average $ 3.9 million wound on the finances of the company that suffers it. In addition, the study quantifies in 279 the number of days necessary to identify and solve this security flaw.

To avoid scenarios like this, there are safe software development techniques.

What is secure software development?

Secure software development is a working model that is based on continuous security checks on the project under construction, even from its initial stages and before a single line of code is written. These tests focus on discovering and correcting any errors at an early stage, and include tests for authentication, authorization, confidentiality, non-repudiation, integrity, stability, availability or resilience.

The goal is, after all, to make sure that we prevent access to the program and the stored data by users without permission.

Threats to be aware of when developing secure software

Secure software development is carried out by taking measures to combat computer threats. These types of malicious attacks are intended to compromise the digital activity of a group of people, cause harm or steal, either money or confidential information.

The list of cyber threats is long and constantly nurtured by new dangers. Viruses, Trojans, phishing, malware, logic bombs, screen scraping, advanced persistent threats (APT), ransomware, spyware ... And it goes on and on. Just look at the OWASP project website, which continually updates its top 10 critical security issues for web applications.

On our part, at BETWEEN we want to emphasize three types of tremendously harmful cyber-attacks that can be minimized through secure software development:

  • SQL Injection. It occurs when a third-party inserts snippet of intrusive code into, for example, the input field of a form. This will grant you access to the victim's database.
  • XSS (Cross Site Scripting). It is based on the injection of scripts into a web using HTML, JavaScript or another coding language. The script will be executed in the client's browser in order to spy on their sessions, redirect them to harmful websites, steal their personal information or manipulate their activity.
  • Denial of service (DDoS) attacks. They take place when a network of devices launches a simultaneous attack, making a massive request for requests that the service is unable to attend to.

metodologias-desarrollo-seguro-software

Methodologies for secure software development

Secure software development methodologies place security at the center of the process. There are different models, conceived by large companies, national organizations and under open source paradigms. At BETWEEN we talk about some of the most outstanding:

  • S-SDLC (Secure Software Development Life Cycle). It is based on verifying the security requirements throughout the different phases of software construction: analysis, design, development, testing and maintenance. Especially during the first two, since much of the weaknesses of the systems are generated even before starting the programming tasks. The keys to the S-SDLC are attention to detail, to favor the immediate identification of vulnerabilities; and continuous improvement.
  • CLASP (Comprehensive Lightweight Application Security Process). OWASP project that establishes a series of activities, roles and good practices aimed at coordinating the processes of secure software development. The OWASP CLASP organization is based on five perspectives or views that address the general concepts of this methodology, the distribution of functions, the assessment of the applicable activities, the implementation of these activities, and the list of problems that may lead to the appearance vulnerabilities.
  • SSDF (Secure Software Development Framework). Initiative of the NIST (National Institute of Standards and Technology of the United States), provides indications to evangelize the organization about the importance of computer security; protect commonly used software against hypothetical attacks; orchestrate secure software development; and quickly detect and fix any vulnerabilities.

Any misstep can reveal personal data or leave software at the mercy of malicious minds. Therefore, it is always essential to bear in mind the secure software development techniques and in projects of all kinds (WordPress development, administration and accounting programs, machine controllers, online banking, etc.). If you dedicate yourself professionally to this, at BETWEEN we have a place for you! In our list of vacancies, you will find your next job opportunity, do not let it escape!

Tags: computing

Related Posts

What is machine learning overfitting and how to avoid it?

At some point in machine learning, most beginners run into the same problem. And then a unanimous question arises. Why, with the training data set, does the model I am developing ...

( reading time )

Topics: computing

HTTP/3, the protocol that will bring us (finally) a faster Internet

Since its birth in the 1980s, the Internet has always used TCP as the backbone of its HTTP (Hypertext Transfer Protocol), the protocol that organizes the transfer of information ...

( reading time )

Topics: computing

The 2038 Effect: is a new computer blackout haunting us?

In 2014, the Korean artist PSY broke the YouTube view count by surpassing 2,147,483,647 views with his video for the hit music Gangnam Style. Once that barrier was crossed, as ...

( reading time )

Topics: computing