It’s incredible to think that barely 20 years ago we thought of intelligent devices like a dream on the horizon, and today, everything from smartphones and watches to refrigerators and even doors have CPUs and share information on the net. But, hey, we live in the world of the Internet of Things, so you might as well get used to it.
This level of interconnectivity has transformed our lives, in many ways for the better and some for the worse. One of the new challenges of the digital world is that connectivity can be exploited, and information or systems that are meant to be private can be hijacked or stolen. You could say that for each door in our network there is a backdoor waiting to be found.
To be fair, hackers aren’t particularly new, and people finding bugs that can be exploited is a practice as old as the first computer.
But it’s undeniable that there has been an increase in cybercrime. One of the first studies on the subject predicted that by 2025 cybercrime would account for over 10 trillion dollars in losses worldwide – and so far the prediction has been too close for comfort.
What’s more – with the surge in popularity of remote work, companies have to rely on connectivity to stay competitive in the current market. As such, it’s paramount that their information and systems are safeguarded from intrusion – and that‘s where security by design comes into the picture.
Two approaches to cybersecurity
Imagine that someone breaks into your house and steals some valuables in the middle of the night. The next day you realize that someone jimmied the lock to your front door, so you decide to hire a locksmith to reinforce it with a stronger lock.
In this scenario, your awareness about your security is triggered by the fact that someone exploited a vulnerability in your security system. Up until this point, your door has been perfectly serviceable, so there was no reason to doubt its efficacy.
Now, trade your house for one of your company’s systems, the lock for a security protocol, and the locksmith for a cybersecurity consultant and you have in your hands what we call “reactive cybersecurity”.
It’s reactive in the sense that whatever changes you make to your system are made in response to an attack by an outside agent. This is what commonly happens when a company realizes that there has been a data leak because they find evidence of their databases posted on the web.
In contrast, proactive cybersecurity is the philosophy that security should be at the front and center of your development process, and that an important part of testing your project is trying to find vulnerabilities and exploits that could lead to security breaches.
No matter how thorough you are when you build software, there is always a possibility that an exploit might be found down the line. It can be anything: a bad line of code, a slip in the architecture, a bug in an imported library, or a backdoor in the original code, like what happened with PHP.net
In other words, no amount of proactive security will guarantee an ironclad product, but it’s undeniable that having a good security methodology will minimize the risks considerably.
Designing for safety
Security-by-design is an approach to software development that integrates cybersecurity’s best practices throughout the development life cycle. It’s proactive cybersecurity at its best, embracing the idea that designing and updating your security systems is a process that never ends.
At the core of this approach lies the idea of continuous development. It implies that with each step in the development process new systems are implemented and old systems are continuously tested. Much like agile, you want to fail hard, and fail fast. The sooner an exploit is found the faster it can be patched.
If the idea is to minimize mistakes that compromise your security, then you need a set of guidelines and practices that help developers avoid those mistakes and find them when inevitably one gets through the cracks. Here are a few examples of how to adopt security-by-design:
Used trusted technology: It’s hard to resist the urge to use the latest trend for our development process, but there is a reason why banks and governments are extremely slow in updating their systems – they rely on trusted technology that has withstood the test of time.
“Trusted” doesn’t necessarily mean old, mind you. The longer something is on the market and the more popular it is, the higher the odds of catching the attention of cybercriminals. In this sense, by trusted we mean technology that has been tried and true, whose owners are open about their safety practices, and which your team knows inside out.
Train your team: A team of developers who is aware of threats and exploits found in similar projects will be more careful while creating software. Also, many developers who are creative and very talented, lack knowledge in security practices. As such, teaching them strategies like OWASP SbD principles is a gain for them as professionals and for your business.
Privacy front and center: GDPR changed the landscape of software development and has brought a more conscious approach to handling personal data. A good practice is to start from the idea that personal data is private and build your security around that notion.
Create security checks for accessing and sharing personal data, make sure that the database is as isolated as possible, and keep access to a minimum.
AIs and manual checks: Do routine checks on your code, testing for possible vulnerabilities. There are great tools out there that can check code for bugs and exploits. Another approach is to have both internal testing, and security consultants going over the project to try to find possible security risks.
Good design practices: Spaghetti code, legacy technology, and technical debts make projects harder to maintain and to patch when a security breach is found. Keeping your project clean and organized helps developers spot possible threats, and patch whatever vulnerabilities are found down the line.
Why do you need security-by-design
Patching a security risk is a lot easier and cheaper under controlled conditions when your development team can take the time to try out different solutions and tweak them as needed until they are satisfied. Quite a different environment than when the team has to hastily patch a breach that may endanger your information and incur losses.
It’s also easier to implement security checks and protocols as you go than waiting till the end of development and then having to retroactively change the code when a risk is found. In the end, security-by-design leads to faster design times and more robust solutions, which is one of the best ways we have to deal with cyber threats today.