Today the Internet Security of software modules and Applications built from those modules is a crucial requirement to minimize the risk for suffering from attacks. Attacks through the Internet have become rather complex and intelligent and need to be addressed thoroughly. As a response the organisations developing software need to focus right at the start of a development cycle on the analysis of potential risks and Security issues and their product roadmap must cover security improvements over time. The challenge is to not only think about the functions a product should provide but also about the functions the product should deny, when being attacked. Unfortunately it is still common to concentrate development efforts only on functionality and only at a later stage, when a product is used and distributed an attempt is made to fix security issue by providing patches to the users. This type of 'Patch and Pray' strategy is insufficient and inferior to a proper risk analysis from start.
ITXperts support their customers with decades of profound experience in developing complex application and system software, which extends to Cyber Security for modules and software products. Any organisation who want to include Cyber Security at the start of their development cycles should consider and review the following questionable statements:
Time to market and other requirements may lead to a decision to ignore security functions during the initial development cycle. Frequently the first customer version is targeted to find out how the product is accepted and how chances are to sell the product. The risk of an attack is thought to be quite low initially. However, the chance of being attacked is a real issue and believing it might not happen is no good idea, even for the initial version of a product with well restricted features. Only if the product launch is unsuccessful security may never become an issue, but as soon as the product is widely accepted it will be attacked without any doubt.
Most often the software developed includes all essential requirements, but no attempt has been made to include Security strategies or tools to detect attacks and protect against malicious access. Modern "Agile Software Development Methods" attempts to achieve a ready to use implementation. As a consequence there is a trend to leave out any non-functional parts and neglect Security issues. But your software should really provide security and protect the integrity and confidentiality of your client's data. Also, it should be robust and handle any "Denial of Service" (DOS) attacks gracefully. At a very early phase you should rule out that even light attacks can cause CPU or memory or network load and lead to congestions or bottle-necks. In short , your software needs to be aware of all well-known and frequent attacks.
This addresses a Security 'Management' technique which essentially applies security fixes to a software after an attack has taken place. Such a strategy refers to the above mentioned practice of "features over security" and this is not the way your software should be built. Clearly, you do not know if the very first "strike" is fatal to your software and your customers.
In client-server implementations the server may never trust the responses and announcement of their clients. Clients can be replaced by malicious software and cause distruction.
Never trust a mobile client, never believe that a web client is sending
Build heavy duty, robust server security methods and don't believe that you know all about the behaviour of the client, even when the (true) client was built by your team.
Despite the fact that many organisations already provide an internal structure to take care of Cyber Security and although there may be a number of responsible persons on different levels of the organisation, as it happens there is still quite often confusion about who should controls a product's development cycle.
As mentioned earlier on, the aim is not only to provide the required function set but also to rule out that any hidden functions can be activated. To achieve this the supplier need to know how a customer may use the software, at a first stage and later on, in a always changing environment with new usage pattern. A number of questions need to be considered
Internet Security should be taken into account right from the start of the development process.
Integeratio of Cyber Security at the early stage of the software development is key to insure that the software can only be used
as per the specification.
Jointly with her core theme, Security as part of the software and product development, ITXperts offers further Services options to their customers: