Posted by Sneha Kokil on October 10, 2016
The all-too-prevalent attacks against large organizations are often those that you’ll see pop up on the news. However, attackers aren’t neglecting small and medium-sized businesses (SMBs). That’s why every organization, irrespective of its size, needs software security. Wondering how to kick-start a robust software security implementation for your start-up? Here, I’ll discuss several essential factors that SMBs should consider when designing a successful security program.
When it comes to designing a full-blown security program, large organizations differ in various ways when compared to SMBs. Here are some of the key considerations that usually contribute to the distinction between the two.
It all boils down to dollars when adding any new key infrastructure. Most of the budget for software security infrastructure involves purchasing tools, servers, hiring a specialized workforce, building robust architecture, streamlining security processes, and training developers to build security into their code. Some of these activities are one-time costs, while others are recurring. Large organizations have more funds allocated to performing these activities. SMBs, on the other hand, are usually tighter on funds and have to use available money judiciously.
The monetary consideration affects tools used to implement software security. Classes of tools such as static analysis tools, dynamic analysis tools, continuous integration tools, firewalls, and anti-malware software come in commercial and open source varieties. Commercial tools imply spending part of the budget. As such, achieving balance between security requirements and funds is trickier for SMBs in comparison to large organizations.
Virtually every type of business is responsible for meeting certain regulatory requirements. Depending on the industry and business type, organizations likely need to regulate risk and vulnerability assessments, data security, and incident responses. Large organizations tend to use formal standards such as ISO 27001 to design and measure their security requirements. Due to the expensive nature of ISO 27001 implementation, SMBs prefer not to base their security requirements off of such standards.
Given the size of SMBs, having a sufficient number of appropriately skilled people required for security implementations makes workforce one of the top concerns. In SMBs, one person may play multiple roles. However, large organizations can often afford to hire people with desired skillsets and designate them to exclusive roles and responsibilities. As such, building security-focused and security-skilled teams is more challenging for SMBs.
In many cases, large organizations provide their employees with company-issued laptops or desktops. Even other electronic devices, such as hard-drives, pen drives, memory and data cards, and mobile devices are properly vetted by the company. Additionally, large organizations require employees to abide by policies around the use of these devices and maintain employee devices when necessary.
On the other hand, many SMBs allow their employees to use personal electronics for carrying out daily job duties. While it offers more flexibility to the staff and lowers infrastructure costs to the company, SMBs struggle to maintain security in coordination with a BYOD approach.
Security awareness should heavily impact people and their attitude towards security. In many companies, security is considered to be the IT department’s job. However, in reality it is everyone’s responsibility. All staff, especially developers and project management teams, must understand that disabling security programs and controls to get a job done faster makes applications vulnerable.
How can you spread the word about security awareness? Training, of course. However, security awareness training programs may not be plausible will all budgets. There are alternate ways to obtain security awareness. SMBs can follow a cost-effective, successful internal training plan built around focused guidelines for topics such as:
SMBs can also tailor their internal security awareness training by referring to NIST SP 800-50 which has templates and guides for designing the program. In addition, purchasing a reasonably priced Web-based course can help to outline the training program.
Since SMBs seldom go for full-blown security assessments (involving comprehensive tests for all possible vulnerabilities or code problems), it is important to pinpoint focus areas for a set of applications. Achieve this by performing a risk analysis of the overall application architecture. The outcome from the analysis helps you to figure out the most likely attack vectors. It allows SMBs to prioritize vulnerability areas they care about the most. These focus areas then become the basis for cost-effective security assessments.
Mitigate the impacts of external attacks on applications by making them secure from within. Achieve this by mandating developers to follow secure coding best practices. While SMBs might not be able to opt for a comprehensive code review by a security expert, it always helps to carry out peer code reviews against a secure coding checklist.
Documentation on secure coding guidelines for many popular platforms, such as Java and .NET, is available over the Internet. Use these guidelines and take application risk analysis into account. Also, develop a custom checklist within the organization. SMBs can work towards building security in with the help of this checklist.
Many commercial security tools are expensive. As an alternative, there are a handful of open source tools that produce extremely useful results when used to analyze application source code and perform penetration tests. Some benefits of open source tools include:
Vulnerable software is often an easy entry point into the entire organizational network. The vulnerabilities published for software are also accompanied by ready to use exploits and possibly tools. This makes an attacker’s job even easier. For all systems (e.g., laptops, mobile devices, personal devices) used by employees for work purposes, patching software from time to time and keeping configuration up to date are critically important steps to thwart exploit attempts on old software versions.
Additionally, SMBs need to refine BYOD policies by adding sections that describe a proper state of an employee’s device. Build a strict policy around the use of approved software versions and a process to keep them up to date.
While working to build secure applications, it is also important to safeguard the network perimeter. Lacking or insufficient perimeter security is one of the reasons why SMBs become highly favorable targets.
The network perimeter can be secured via firewall configuration to allow connections only from trusted sources. Web traffic on the company network must be filtered and cleaned up before it reaches end users. Web filters can be deployed on company gateways. For small businesses, install a security suite with real-time scanning feature on each computer that connects to the outside world.
Information leakage is often the result of an attack on an organization. While various types of attacks contribute to data leakage indirectly, loss or theft of employee devices and unauthorized access to company infrastructure are the two direct attacks.
The following measures can help you start to minimize or stop the effects of information leakage:
The key for SMBs is that in spite of many challenges, designing and implementing a well-formed security program is crucial for every business. The essentials described here should inspire you to kick-start your software security initiative and successfully protect your business.
Get the latest Software Integrity news, thought leadership, and more.