Security concerns are often dealt with as an afterthought—the focus is on building a product, and then security features or compensating controls are thrown in after the product is nearly ready to launch. Why do so many development teams take this approach? For one, they may not have an application security team to advise them. Or the security team may be seen as a roadblock, insisting on things that make the product less user friendly, or in tension with performance goals or other business demands. But security doesn’t need to be a bolt-on in your software process; good design principles should go hand in hand with a strong security stance. What does your engineering team need to know to begin designing safer, more robust software from the get-go?
Drawing on experience working in application security with companies of various sizes and maturity levels, Wendy Knox Everette focuses on several core principles and provides some resources for you to do more of a deep dive into various topics. Wendy begins by walking you through the design phase, covering the concerns you should pay attention to when you’re beginning work on a new feature or system: encapsulation, access control, building for observability, and preventing LangSec-style parsing issues. This is also the best place to perform an initial threat model, which sounds like a big scary undertaking but is really just looking at the moving pieces of this application and thinking about who might use them in unexpected ways, and why.
She then turns to security during the development phase. At this point, the focus is on enforcing secure defaults, using standard encryption libraries, protecting from malicious injection, insecure deserialization, and other common security issues. You’ll learn what secure configurations to enable, what monitoring and alerting to put in place, how to test your code, and how to update your application, especially any third-party dependencies.
Now that the software is being used by customers, are you done? Not really. It’s important to incorporate information about how customers interact as well as any security incidents back into your design considerations for the next version. This is the time to dust off the initial threat model and update it, incorporating everything you learned along the way.
Wendy Knox Everette is a senior security advisor at Leviathan Security Group. She has more than 15 years of experience as a software developer, software quality assurance engineer, and information security professional. She’s been involved in all aspects of the system development lifecycle (SDLC) from requirements definition through implementation and operation as well as compliance gap analysis and risk assessment. As an information security consultant, she’s guided clients through FedRAMP, DISA SRG, and HIPAA/HITRUST audits, along with assisting both technical and nontechnical personnel to meet the challenges of regulatory compliance. She regularly develops secure development training sessions for clients and advises on all stages of application security and incident response. Wendy is a Certified Information Systems Security Professional (CISSP) and is admitted to the practice of law in Washington State and the District of Columbia. Wendy graduated with honors from the George Mason School of Law with a concentration in national security law. She’s spoken at a variety of security conferences, including Black Hat, ShmooCon, BSides Las Vegas, the DEF CON SkyTalks, and DEF CON’s Crypto and Privacy Village.
©2019, O'Reilly Media, Inc. • (800) 889-8969 or (707) 827-7019 • Monday-Friday 7:30am-5pm PT • All trademarks and registered trademarks appearing on oreilly.com are the property of their respective owners. • firstname.lastname@example.org