Secure by design' sounds good - but how can you be sure?

'Secure by design' is becoming a mainstream approach to ensuring software system security. Assuring that security involves making security testing part of the software development approach. Here, NashTech Security Consultant Hien Trinh discusses the practicalities of security testing and looks at how NashTech incorporates it into modern software development methods.

In software engineering 'secure by design' means that the software has been designed to be secure from the foundations up. Secure by design is becoming a mainstream development approach to ensure the security and privacy of software systems. But to be certain that the security built in to a software design is effective, you have to carry out security testing that's aligned to the software development approach.

Where does security testing come in software testing?

Functional testing of software is based on a variety of elements such as risks, requirements, use cases and models. Security testing is based on the security aspects of those elements, but additionally aims to verify and validate security risks, security procedures and policies, attacker behaviour and known security vulnerabilities.

So the traditional approach of simply making application security testing a checkpoint before deployment doesn't really hold water. That's because it's difficult to address vulnerabilities and weaknesses discovered during the analysis and testing process in a timely and cost-effective way.

Of course, security testing can't guarantee that a software system or the organization using it will be safe from attack. What it can do, however, is help to identify the risks and evaluate the effectiveness of existing security defences.

Taking a holistic view

People, process and technology are often regarded as an 'iron triangle' that delivers a complete IT solution. All three areas will have an impact on the overall IT delivery - including on security:

• People. Each person has different skill levels, attitudes and agendas, all of which will influence how security impacts on them, and how they impact on the effectiveness of security controls. That's why it's important to ensure everyone is sufficiently aware of and educated about security.
• Process. Processes define how IT services, including security-related services, are delivered. In a security context, processes include the procedures and standards put in place to protect valuable assets. To be effective, processes must be defined, up to date and consistent, and must follow best practices for security.
• Technology. Technology encompasses the facilities, equipment, hardware, and software that automate or support an organisation. Technology helps people to carry out repetitive jobs faster and with fewer errors than if performed manually. The risk is that, used incorrectly, technology simply helps people make mistakes faster.

Security testing throughout the software development lifecycle

At NashTech we take security considerations into account throughout the entire software development lifecycle (SDLC) to ensure security requirements are implemented. That's why security testing is embedded in all lifecycle phases.

We use different methodologies and techniques (reviews, analyses and tests) to assure security in each phase, as the mapping below describes.

Requirements analysis

• Understand and analyse the business requirements, security goals, and objectives in terms of the organisation's security compliance.
• Agree on the security standard and best practices to apply to the project.
• Review security requirements and abuse/misuse cases.

Architecture design

• Review the standard technologies and frameworks to be used in the application.
• Consider the security risks in using standard technologies and frameworks, and adjust if required.
• Review and follow suitable security design principles for the project.

Coding and unit testing

Use a list of secure coding practices during the code review to determine if developers and the software itself are following established security methods and best practices.

System testing

• Perform security tests in an approximation of the final target environment.
• Test that security requirements have been implemented correctly from a system perspective by a penetration test.

User acceptance testing

Validate that the system meets users' needs in real-world conditions. This includes ensuring that security requirements have been implemented and met correctly. By this phase, most security testing should have already been performed, but there will still be opportunities to test security scenarios that occur at the business process level.

Deployment

Check the configuration to confirm that security configurations are correct in the target environment.

Maintenance

Have an expert carry out penetration testing, vulnerability scanning, and impact analysis of patches. The focus is on testing changes made to correct defects and add functionality to ensure no new vulnerabilities have been introduced to the system.

It's not just 'one and done'

One important thing to bear in mind is that a security risk assessment is only a snapshot at a given point in time. New threats emerge daily, which means security risks change all the time within an organisation and for any given project. Applications change over time as well.

Security risk assessments should therefore be carried out at regular intervals, which will vary according to the project and the degree of change it experiences.

How NashTech can help

Security is a critical aspect of modern applications development. The experience we've gained working on many successful client projects over time has given us insight into what's needed to deliver secure, high-performance software.

We use the OWASP Top 10 as the core of our security testing standard. And because not all security standards apply to all situations, we make sure we understand the unique requirements of each project and client, and tailor our approach to suit them.

Ready to know more?

To learn more about our Software Testing Services, email info@nashtechglobal.com and a member of the team will be in touch.