Securing digital systems is a complex, multi-layered and ever-evolving area. Much gets written about the use of strong passwords, two-factor authentication, encryption and the like. All of these form important pieces of the puzzle, and are relatively straightforward to cover off as part of a security checklist for development teams.
The bigger challenge is when it comes to protecting against less-obvious or even unknown threats. Here, there’s no silver bullet. Instead, digital delivery organisations need to instil a security-conscious culture, coupled with an ethos of openness, collaboration and continual improvement. This will put those building and running digital products and services in the best-possible position to protect their data and their users. Below, we outline five techniques to help build and maintain the right security focus.
Keep knowledge current
Like any aspect of technology, the security landscape evolves at breakneck speed. It’s therefore important for teams to keep their knowledge up-to-date. Alongside formal training, encourage team members to read up on and share security news and understanding about modern attack vectors. There are many great security-focused blogs and mailing lists out there. Encourage technical discussion and sharing, on Slack, forums, or even through regular ‘lunch and learn’ sessions.
In addition, organisations can complement their own teams’ knowledge with that of external specialists, to add security perspective from their peers and other sectors. External specialists should also be hired for security reviews and penetration testing of critical systems.
Use security checklists as conversation-starters
The aforementioned security checklists are a valuable part of development and test teams’ security toolboxes. However, these lists should be seen as more than just checkbox exercises. Structure the checklist to be conversation-starter material that feeds into a security brainstorm. This can be structured as a threat-modelling exercise. The session should seek to identify as many ways as possible in which the application could be compromised, the likelihood of each event, the impacts of a compromise, and proposed mitigations.
To maximise the value these security brainstorms provide, broaden the attendance beyond the development team. If the organisation has multiple digital projects running simultaneously, it should be common practice for individuals from different teams to sit in on others’ security brainstorms. Equally, external security consultants can add a lot of value to these sessions.
Having a diversity of viewpoints is key when it comes to unearthing potential attack routes that may otherwise not have been identified, or considered relevant.
Beyond the wider security brainstorms, individuals working on a project should be regularly sense-checking ideas with colleagues as they go. This is important at design time and at implementation time, and at both an architectural and a ticket scale. This can be part of a formal process (e.g. architecture review or code review) or an ad hoc exercise. Questions that can be considered include: Could architecting or coding something in a certain way compromise security? Could a colleague try to hack one of the test environments? How might that colleague go about accessing data in a particular database?
Culture of honesty
Even the best digital delivery professionals can make mistakes that put the security of an application or its data at risk, or produce something in a way that’s later found to be insecure.
When this happens, the most important thing is to address the vulnerability as quickly as possible. However, if people are worried that owning up to an error will see them punished, they’re less likely to notify anyone, leaving the application and its users vulnerable. It’s therefore important to instil a culture where people feel encouraged to admit mistakes. Team leaders and company management should lead by example, admitting their own mistakes, and nurture a culture where blaming is shunned.
When issues arise, root cause analyses are important to work out what went wrong, and what should be changed to prevent recurrence of issues, but these should be focused on analysis, and not on blame.
Understand the bigger picture
Applications don’t operate in isolation – they form part of wider business processes. Components can theoretically be secure in isolation, but issues can arise at interfaces between components, and with the complexities of people and the real world. This can introduce attack vectors that may not immediately be obvious, such as vulnerabilities to phishing or other types of social engineering.
Those developing a digital product therefore need to understand the wider process in which it will operate, so they can explore how it might be vulnerable.
The need for a holistic approach to security
As cyberattacks become increasingly sophisticated, it’s getting harder to protect against them. Security checklists on their own aren’t enough. Instead, organisations developing and maintaining digital systems need to tackle the issue holistically, first and foremost by nurturing the right culture and values. By ensuring their employees are supported, encouraged to share knowledge, ask questions and admit mistakes – and ensuring their tech suppliers do the same – organisations will have the foundations that enable them to keep their software and data secure, now and into the future.