Article exclusively for isaca-gwdc.org written by Jennifer Valine. For more information, email firstname.lastname@example.org
Cybersecurity should be a top priority for everyone. It’s estimated that cybercrime could cost the world at least $6 trillion by the end of 2021, affecting both companies and individuals alike. But even though everyone can get some form of cybersecurity training in the workplace to spot things like phishing techniques and to avoid public Wi-Fi, this isn’t enough to prevent hacks or breaches. The first step to preventing a cybersecurity disaster actually lies in how software is built.
The Software Development Life Cycle
The software development life cycle (SDLC) consists of six main phases: analysis, planning, design, development, testing, and deployment. In order to implement these phases, skilled professionals are needed at every stage. Working with software professionals that are not only trained in the basics of software design and development is crucial. They should ideally be adept in specialized applications as well, such as cybersecurity.
Thanks to the rise in remote learning, these professionals have more access to courses and training programs that can help them upskill. Colleges and universities offer these quality online courses and programs that give professionals the opportunity to broaden their knowledge in the field of computer science. Today’s online software development programs can guide students into understanding advanced software creation, allowing them to become proficient in every aspect of its development, from architecture to security. Many of them even advance to become software consultants, who you can hire separately if you want to make sure your software solutions are working to their optimal levels. It’s important to invest resources at this stage, as encountering major cybersecurity issues when the software has already been deployed is going to cost you even more and could have a massively detrimental impact on your entire business.
A major improvement a professional can make in regards to an SDLC is to make it a secure SDLC, or SSDLC. SSDLC essentially means that security is being integrated throughout the SDLC, and is designed so that any security issues that may arise are detected and fixed as early as possible. This also includes having different kinds of automated application security testing tools that test the software. SAST tools look for “weak” code and send an alert when a threat breaches an application server’s network. By making sure the software has all bases covered as it’s being developed, there will be fewer problems and maintenance issues once it’s been deployed.
Other Necessary Steps
There are a few things you can do to minimize the possible security risks that your tools might detect, such as formulating secure Session IDs. A long and randomized ID is more ideal than short IDs with descriptive names, as it makes it easier for hackers to identify a session. Making data encryption the norm strengthens data security measures and prevents cybercriminals from using any data they might steal.
After the deployment phase of SDLC, you should go back to the analysis phase. What can help you during this second cycle is feedback from users and any alerts you receive from software composition analysis tools, which can find security and licensing risks. As such, it’s important to ensure that your systems always have up-to-date patches to cover vulnerabilities.
Another smart cybersecurity practice is to educate and train users about the software instead of just getting them to buy it. Then you should also monitor activity use so you can check if users are following good software security practices and keep an eye out for suspicious activities like user impersonation.
Ensuring cybersecurity practices before, during, and after software development might require a lot of resources. However, this will cost you and your users less in the long run as you will be able to protect the data and other assets.
Kenneth joined ISACA in 2013 and presently serves as the GWDC Communications Director. He holds the CISM, CISA, PMP, CIPP/G, and AWS CCP.