Software Security

The all-too-prevalent attacks against large organizations are often those that you’ll see pop up on the news. However, attackers aren’t neglecting small and medium-sized businesses (SMBs). That’s why every organization, irrespective of its size, needs software security. Wondering how to kick-start a robust software security implementation for your start-up? Here, I’ll discuss several essential factors that SMBs should consider when designing a successful security program.

How are SMBs different than large organizations?

When it comes to designing a full-blown security program, large organizations differ in various ways when compared to SMBs. Here are some of the key considerations that usually contribute to the distinction between the two.

It’s all about the budget.

It all boils down to dollars when adding any new key infrastructure. Most of the budget for software security infrastructure involves purchasing tools, servers, hiring a specialized workforce, building robust architecture, streamlining security processes, and training developers to build security into their code. Some of these activities are one-time costs, while others are recurring. Large organizations have more funds allocated to performing these activities. SMBs, on the other hand, are usually tighter on funds and have to use available money judiciously.

Tools in the belt.

The monetary consideration affects tools used to implement software security. Classes of tools such as static analysis tools, dynamic analysis tools, continuous integration tools, firewalls, and anti-malware software come in commercial and open source varieties. Commercial tools imply spending part of the budget. As such, achieving balance between security requirements and funds is trickier for SMBs in comparison to large organizations.

Compliance and regulations.

Virtually every type of business is responsible for meeting certain regulatory requirements. Depending on the industry and business type, organizations likely need to regulate risk and vulnerability assessments, data security, and incident responses. Large organizations tend to use formal standards such as ISO 27001 to design and measure their security requirements. Due to the expensive nature of ISO 27001 implementation, SMBs prefer not to base their security requirements off of such standards.

Workforce.

Given the size of SMBs, having a sufficient number of appropriately skilled people required for security implementations makes workforce one of the top concerns. In SMBs, one person may play multiple roles. However, large organizations can often afford to hire people with desired skillsets and designate them to exclusive roles and responsibilities. As such, building security-focused and security-skilled teams is more challenging for SMBs.

Bring your own device (BYOD).

In many cases, large organizations provide their employees with company-issued laptops or desktops. Even other electronic devices, such as hard-drives, pen drives, memory and data cards, and mobile devices are properly vetted by the company. Additionally, large organizations require employees to abide by policies around the use of these devices and maintain employee devices when necessary.

On the other hand, many SMBs allow their employees to use personal electronics for carrying out daily job duties. While it offers more flexibility to the staff and lowers infrastructure costs to the company, SMBs struggle to maintain security in coordination with a BYOD approach.

Why should everyone feel responsible for security?

Security awareness should heavily impact people and their attitude towards security. In many companies, security is considered to be the IT department’s job. However, in reality it is everyone’s responsibility. All staff, especially developers and project management teams, must understand that disabling security programs and controls to get a job done faster makes applications vulnerable.

How can you spread the word about security awareness? Training, of course. However, security awareness training programs may not be plausible will all budgets. There are alternate ways to obtain security awareness. SMBs can follow a cost-effective, successful internal training plan built around focused guidelines for topics such as:

• Handling user IDs and passwords.
• Internet and email usage.
• Secure usage of electronic devices.
• Social engineering attack methods.
• Incident response policy.

SMBs can also tailor their internal security awareness training by referring to NIST SP 800-50 which has templates and guides for designing the program. In addition, purchasing a reasonably priced Web-based course can help to outline the training program.

Are you establishing focus areas?

Since SMBs seldom go for full-blown security assessments (involving comprehensive tests for all possible vulnerabilities or code problems), it is important to pinpoint focus areas for a set of applications. Achieve this by performing a risk analysis of the overall application architecture. The outcome from the analysis helps you to figure out the most likely attack vectors. It allows SMBs to prioritize vulnerability areas they care about the most. These focus areas then become the basis for cost-effective security assessments.

Are you training employees to build security in?

Mitigate the impacts of external attacks on applications by making them secure from within. Achieve this by mandating developers to follow secure coding best practices. While SMBs might not be able to opt for a comprehensive code review by a security expert, it always helps to carry out peer code reviews against a secure coding checklist.

Documentation on secure coding guidelines for many popular platforms, such as Java and .NET, is available over the Internet. Use these guidelines and take application risk analysis into account. Also, develop a custom checklist within the organization. SMBs can work towards building security in with the help of this checklist.

Should you utilize open source tools?

Many commercial security tools are expensive. As an alternative, there are a handful of open source tools that produce extremely useful results when used to analyze application source code and perform penetration tests. Some benefits of open source tools include:

• Easy setup and (usually) sufficient documentation.
• Customization provisions, depending on focus areas identified in risk analysis activities.
• Many open source tools can integrate with multiple build systems in use within a SMB.
• Easily consumable results/reports by any other utility. For example, many open source tools produce a XML or CSV formatted report.

Are you keeping systems up to date?

Vulnerable software is often an easy entry point into the entire organizational network. The vulnerabilities published for software are also accompanied by ready to use exploits and possibly tools. This makes an attacker’s job even easier. For all systems (e.g., laptops, mobile devices, personal devices) used by employees for work purposes, patching software from time to time and keeping configuration up to date are critically important steps to thwart exploit attempts on old software versions.

Additionally, SMBs need to refine BYOD policies by adding sections that describe a proper state of an employee’s device. Build a strict policy around the use of approved software versions and a process to keep them up to date.

Is securing the perimeter still important?

While working to build secure applications, it is also important to safeguard the network perimeter. Lacking or insufficient perimeter security is one of the reasons why SMBs become highly favorable targets.

The network perimeter can be secured via firewall configuration to allow connections only from trusted sources. Web traffic on the company network must be filtered and cleaned up before it reaches end users. Web filters can be deployed on company gateways. For small businesses, install a security suite with real-time scanning feature on each computer that connects to the outside world.

Is it important to protect data at rest?

Information leakage is often the result of an attack on an organization. While various types of attacks contribute to data leakage indirectly, loss or theft of employee devices and unauthorized access to company infrastructure are the two direct attacks.

The following measures can help you start to minimize or stop the effects of information leakage:

• Email and Web filters should verify that no personally identifiable information (PII) leaves the company.
• Build policies around information accessible from outside the network, versus what should strictly remain within the organization perimeter.
• Employee laptops should have power-on passwords and/or BIOS passwords. This helps ensure that the TPM chips encrypt all data stored on the laptop without the fear of being bypassed.
• Email and VPN access on any employee device must have a prerequisite to make the device password-protected. This is especially useful in the case of BYOD.
• All on-premise data servers must have encrypted storage policy. Additionally, they must be physically protected.

Bringing everything together.

The key for SMBs is that in spite of many challenges, designing and implementing a well-formed security program is crucial for every business. The essentials described here should inspire you to kick-start your software security initiative and successfully protect your business.

What do you need to launch your software security initiative?