The Best Way to Build Secure Software: Start with People
Over the past 10 years, the number of new businesses formed in the U.S. has grown nearly 75%. To shorten their time to market, companies building software-as-a-service (SaaS) applications use managed services through cloud providers and open-source packages. While the ease and convenience of outsourcing critical infrastructure can help speed new solutions to potential customers, the reliance on third-party vendors and accelerated development timelines introduce serious security concerns.
Hastily built products and infrastructure are often easier for cyber attackers to breach and infiltrate, which can have devastating effects on companies that aren’t equipped to protect their systems from cyber threats. As evidenced by the constant stream of news stories about the latest business to fall victim to a cyber attack, breaches and vulnerability exploitation critically impact companies today more than ever before.
If you are a technical leader at a growing SaaS company, it's critical to understand where your security efforts need to be focused. It is imperative for all companies to establish software teams with the deeply ingrained habit of building secure systems.
The new companies that survive and thrive in the next 10 years will be the ones that build security champions within their teams from day one.
How do savvy engineering leaders make building secure systems a habit for their teams? They start with people.
Start with People: Who Is Your Champion?
Your ultimate goal is to build team-wide awareness and expertise with respect to cybersecurity topics, but you'll have more success if you start with an individual or a small group. In one-on-one meetings, take the time to identify individuals on your team(s) who have a security background or interest. Software engineers love to learn, and they don't want to suffer a breach or ransomware attack on something they have built. Depending on your team's maturity and funding, you may be in a position to hire a security-focused architect. Regardless, once you've identified a champion or two within your team, it's time to move to the next step: building broader awareness.
Getting Broader Buy-In
To start, teams need to know that improving their security knowledge is a long-term and consistent investment by the business. This investment is cheaper than suffering a breach, and exhibiting mature security practices can potentially save the company money on cyber insurance policies.
A few ideas to bolster team-wide awareness:
- Host a lunch-and-learn on the OWASP Top 10: The Open Web Application Security Project (OWASP) is a nonprofit dedicated to improving software security. The OWASP Top 10 identifies common security risks in web applications and is a great starting point for development teams. Divvy up the list among your team and have individuals present on one or more of them. This gives each individual an opportunity to learn security concepts, as well as an opportunity to practice presentation skills.
- Look at old breaches and discuss them in depth: Product development teams stand to learn a great deal by reviewing how other products were compromised. Taking a longer look at how those products failed to build a more secure system can spark interesting and productive conversations within the team. Were any team members affected by a past breach?
- Assign individual labs: Kontra is an excellent interactive resource for engineers to learn about common methods that hackers can use to compromise a system. Identify a few labs to start with and have follow-up discussions with the team. Are your systems vulnerable to any of the exploits that your team learned about?
- Enhance your software development workflow: Common advice when introducing change is to meet people where they are, and engineers spend the majority of their time in their code editor and continuous deployment systems. With that in mind, there are a number of workflow tweaks that can build security into an existing process:
- Automate dependency updates with Dependabot
- Identify accidentally committed secrets
- Monitor for suspicious activities with AWS CloudTrail
All of the above help shift security to an earlier stage in the software development lifecycle, where the goal is to embed security best practices into engineering workflows and tools. Your product development team wants to build more secure systems, but without adding repetitive work. As you start down the cybersecurity path, if you can incorporate security checks with a few workflow enhancements, you will position your team to develop deeper security instincts in their existing workflows.
If you’re following along, that means you've identified a security champion or two. Your team is aware of the common exploits that can compromise software products. They may have even identified areas of your application architecture that are vulnerable. Their existing tools help them fix security vulnerabilities proactively.
But the landscape changes rapidly. You may patch the worst vulnerabilities today only to find out tomorrow that there's a new exploit. How do you weigh which vulnerabilities get your team's focus? How do you decide which security policy your team should incorporate next? Winning companies and technical leaders lean on the security expertise of a partner—a security-savvy managed service provider or a cybersecurity company—as their trusted advisor.
Find a Trusted Advisor
Having a security partner in your corner will let you know where to start and where to invest next. A great outcome here means you establish a long-term connection with a security expert. You're looking for a relationship, not a transaction. Your advisor will help you understand what security investments to make over the long run or how to reduce or transfer risk in other ways, such as cyber insurance.
Here are a few questions to ask potential advisors:
- Do you provide a free consultation and risk assessment of my infrastructure and policies?
- How long does a paid risk assessment take to perform?
- How have you helped your customers achieve HIPAA / SOC2 / ISO 27001 compliance?
- Do you follow a risk framework? How do you track and organize your customers' vulnerabilities?
- Have you helped your customers work through a breach or ransomware attack?
Great partners will be able to provide an initial assessment so you get a feel for how they work. They should follow NIST or another well-known risk framework. If certification attestation could make or break an important sales opportunity for your company, it will be helpful to know if your partner can get you started on that journey and how long that process will take.
Whether you're deep into your security journey or just starting out, it's important to review your team's knowledge and practices. Getting started is more important than getting it perfect. The stakes are higher than ever, and the most successful companies should expect to be attacked. As ominous as that sounds, the companies that commit to building security champions early will withstand the pressure.