For most, the hectic ride of a start-up or a scale-up does not provide the time to build systems and processes properly. The same can be considered for an application security program. As you juggle between building the product and supporting new clients, there is very little time to properly educate your developers on secure coding. Instead, you might find yourself running ad hoc and random security tasks just to support particular clients or certain compliance mandates. It’s like ‘Application Security Whack-A-Mole.’​

KEY SUBJECTS

Throughout this guide, we will cover the best practices of typical application secure coding and we’ll identify how to implement these strategies into your development team. Planning ahead and consistent evaluation allows for a more strategic and thoughtful application security program with more favourable timeframes and budget requirements.​

Here at Software Secured, we have collected the information in this guide through a decade of working with start-ups and scale-ups. We hope that the information provided will help to bring your company to the next level in application security to support your growth and maximize your exit.​ Please reach out if you have any questions.

Secure coding and security management are the essentials that businesses of all sizes should have in their cybersecurity strategy. They detail security processes you can even include before you develop a single line of code. In Chapter 1, the focus will be on why secure coding is important, and determining who plays a role in your Information Security management.​

​

Why is secure coding crucial in software development? The adoption of secure coding practices is important because it removes commonly exploited software vulnerabilities and prevents cyberattacks from happening. Moreover, optimizing for security from the start helps reduce long-term costs which may arise if an exploit results in the leak of sensitive information of users.

Despite the importance of coding in a secure manner, software vulnerabilities are rampant. A search using the National Institute of Standards and Technology (NIST) vulnerability list shows that there have been 40,569 application vulnerabilities in the last three years alone.

Secure coding practices entail writing code in a way that will prevent potential security vulnerabilities. This includes maintaining both your source code and any third-party libraries in a secure state. Secure coding for developers has large benefits in multiple areas of security, including compliance. There are many compliance frameworks that organizations may be obliged to comply with and adhere to within their organizations lifetime. Secure coding helps to implement best practices and a strong security foundation, which helps with becoming compliant with international and regional cybersecurity regulations and laws. ​

Two major compliance frameworks that help organizations meet a high level of confidence in people, processes, and technologies are SOC 2 and ISO 27001. Even if SOC 2 or ISO 27001 is not required or used by your business, most organizations are heavily migrating data to the cloud and using cloud Software-as-a-Service (SaaS) offerings to carry out business-critical tasks.

With cybercrime up 600% since the start of the pandemic and only 16% of companies saying they’re well prepared to deal with cyber risks, you may want to consider how your organization is working to protect itself. Understanding the security roles of various people across your organization is a great first step.

CTO or CISO

At the near top of the corporate ladder, the Chief Technology Officer (CTO) or Chief of Information Security Officer (CISO) is usually held responsible for organizational information security measures. The person in these roles usually deals with the investors, manages incoming vendor security questionnaires, compliance standards, or any other external process that connects an organization's ability to grow with information technology and security aspects. From a strategic standpoint, this person must decide the tactics that everyone else in the organization must commit to in order to develop a more secure organization.

Security Champions

Regardless of the size of your security team, you need every department, including the software development team to cooperate. The best way to do that is to get members from the developer team to be your ambassadors or "Champions. Security champions are often not hired only to be security champions. Ideally, everyone in the organization will be one to some degree. This means they will think of security impacts in every decision that they make, and will know how to make the best decision to maintain a secure environment.

It’s ideal to have at least a few people designated to critically think about security impacts as the software is being built. Security champions are often developers who are genuinely interested in security as these are the people that are an integral part into development, and will remind everyone often to not forget about security. They will bring up security during designing, implementing and testing, and make sure all dev areas are adequately covered with security in mind. These people may also have additional responsibilities such as leading compliance or security testing initiatives. If you're unsure who to choose as your security champion, you can start by looking at those that excelled in security training courses. As well, more information will be provided later in this guide to further discuss what a security champion looks like in a tech team.

Developers

While usually only a few members of a development team are designated as security champions, all members of the team should have an understanding of security principles. Many developer coding courses haven’t integrated security topics until recently, so many of today’s developers have yet to receive any training on how to write secure code. Being familiar with secure coding principles based on the OWASP Top 10 and how to integrate security testing into the SDLC are good places to start.

Contractors & Vendors

Working with third-party vendors is a possible gateway to introduce new risk into your organization if not vetted and managed effectively. Properly vetting your contractors and vendors through security questionnaires will help ensure that your current system won’t be at a higher risk of attack through a new tool or service that you choose to adopt. For example, island hopping is a type of cyberattack where the threat actors target an organization’s third-party partners in order to use them as an access point to the target organization’s network. These types of attacks increase the need to vet your contractors and vendors, in order to mitigate the risk of island hopping and other third party access attacks.

If you want to read more about information security management within an organization, read our in depth blog to learn more.

The unfortunate reality for today’s organizations is the fact that a security breach is becoming increasingly more likely. Behind many of these major breach stories is a software vulnerability that has been exploited. This is where companies need to weigh the costs of not taking a proactive approach to making security a key part of their software development process. The value of shifting to security first is a critical component of software development—mitigating risks and significantly lowering the financial burden associated with a major breach.

Despite the intangible value of security, there is a major challenge when calculating the return on investment (ROI) for IT and security tools. Demonstrating risk reduction ROI is one of the biggest challenges to convey to developers, and why it is important to integrate secure code and secure application development from the start, in order to reduce the cost of security with preventative measures, and still see the same incredible ROI.

For more specific ROI numbers for shift-left test automation, where developer tools such as SAST plays an important role, Forrester Research found an ROI of 205% over three years, with a real dollar return of almost $7 million on a $3.3 million investment. These benefits from shift left automation included increased output per developer, decreased testing time, improved risk avoidance and bug remediation. In the Forrester Study, the tools studied removed about 20% of the bugs from the software which aligns with the direct cost avoidance savings.

Addressing security at the development stage can help organizations “get upstream” of certain issues, which goes a long way toward alleviating potential breaches. From the start, with the investment of proper training and education, developers will be given the tools to transform your security from the inside. After any training or education, your team will take the information obtained and will be encouraged to use them in practice for future risk mitigation. The development team and security champion will be more aware of problematic areas, bugs, and other common vulnerabilities in which they can mitigate and fix throughout their application development process. A higher skill and knowledge level will alleviate time and energy spent on penetration testing, code review, and overall security costs.

According to Osterman Research, security awareness training dramatically decreases the costs that organizations spend on tasks such as repairing damages in the aftermath of a cyber attack. It found that:

• Small and mid-sized businesses (SMBs) get an ROI of 69 percent.

• Larger organizations see an ROI of 562 percent.

As the number of cyber-threats continues to grow, organizations are making daily trade offs between security, practicality, and speed. Nobody wants to be front-page news for the latest data breach, and organizations can't afford to lose business. Studies show that 29% of businesses​ that face a data breach end up losing revenue. Of those that lost revenue, 38% experienced a loss of 20% or more.
‍
Software Secured aims to shift left in the software development process, in order to empower developers to have the skills and tools to create secure code and applications from the very start.

Here are 4 practices that we recommend in order to implement secure and safe coding within your organization.

People are the backbone of any business. Yet, lots of data points suggest that the human is the weakest link in the security chain. In a 2020 survey, it was revealed that 65% of cybersecurity professionals have accessed documents not related to their job profiles. The same survey also noted that nearly 40% of respondents admitted to abusing their access after receiving bad performance reviews, and 86% of security professionals they’ve clicked on links from unknown sources.

For most CTOs, their teams consist mainly of technical employees including developers, architects, development managers, quality assurance, UX, project managers, etc. Technical staff in any technical organization usually hold privileged access to source code, backend systems, databases with client data, cloud frameworks, etc.

Most CTOs that we talk to focus on one type of training versus the other. For example, in early stages, with most of the staff being technical, CTOs might focus on technical secure code training. However, to build a wholesome security culture you have to consider the different aspects of security that your developers need access to.

Below are the types of developer application security training that we recommend.

General Security Awareness

Usually, security awareness training focuses on general security hygiene such as understanding the basic concepts of social engineering and other phishing attacks. Many CTOs make the assumption that technical staff are better equipped to deal with phishing and social engineering than other non-technical staff. While there is some truth to that, the attack scene is changing so fast. Software developers are becoming the prime target for social engineering as they have a higher level of admin access to multiple systems.

Secure Coding Best Practices

While most developers are easily able to identify what good code looks like, they don’t know how to identify secure code. Knowing the most prevalent bugs in application security programs should be a top priority for any development team. If your team doesn’t already have this foundation, we recommend at least a well-rounded, base-level application security training for your developers in order to understand the top bugs and how to find them. A good place to start is through an OWASP Top 10 training​, which teaches developers the most important techniques to write secure code in any language.

OWASP Top 10 is one of the most popular community-based application security standards in the industry. The OWASP website describes OWASP Top 10 as:

“The OWASP Top 10 is a standard awareness document for developers and web application security. It represents a broad consensus about the most critical security risks to web applications”

Since it is community-based, OWASP follows a data analysis plan from multiple sources including security vendors and consultancies and bug bounties, along with company/organizational contributions.

Development teams should have a strong understanding of the biggest risks facing their application and start the process of ensuring that their applications actively minimize these risks. Aligning to the OWASP Top 10 is perhaps the most effective first step towards changing the software development culture within your organization into one that produces more secure code.

Taking the training gives your team the information necessary to understand best security practices, secure coding looks like and what a secure software development lifecycle looks like. However, this is just the beginning of the work. This is not nearly enough to become a secure organization from within. There are several techniques you can choose from to allow for behaviour change.

Taking a training course does not mean that employee behaviour regarding security will change completely. Different people will react differently to the information they intake during the training. After providing employees with the necessary information via training, you need to start thinking about how to encourage behaviour change following the course.

Strong Management Support

Without putting enough management power behind the initiative, the training won’t go that far. Your team has to understand that the training is just the first step in the journey and you don’t intend to stop there. Your actions from that point needs to send strong signals that security is here to stay.

Cybersecurity is increasingly becoming a top management and board-level concern, due to the increasing amount of data breaches, and the collective agreement that more work needs to be done in higher management, where business decisions and investments can be made. According to a recent study among Finnish companies, organizations where top management is engaged in and prioritizing cybersecurity are better prepared for cyberattacks and also best equipped to quickly recover from them. These organizations have accepted the fact that prevention of cyberthreats requires continuous analysis and investments.

Cybersecurity was previously seen as the concern of IT security professionals alone. This, however, is changing, due to the growing awareness among senior executives and others about cyberthreats and their potentially devastating effects on businesses. The continuous support after any training or course, has a large impact on how well prepared an organization is for a security breach.

Empowering Security Champions

One of the best ways you can empower behaviour change is through security champions. In today’s software development culture, there is an ever-increasing need for management to drive empowerment within their teams. You need to seek out, identify, and empower someone who can act as your team’s security champion. Find at least one champion to start, and add more if they are available. As you grow, you may even consider assembling a Security Champions team.

Security champions are not necessarily security experts but they must have passion for security and they are able to get people around them passionate as well. Your champion can be a current team member or a qualified contractor/consultant. A thorough knowledge of the team’s goals is necessary. A security champion needs to be a positive person that can offer diligent observations and constructive suggestions to the team.
Establish Basic Metrics

You can’t improve what you can’t measure. Especially if you are a small team, it could be a daunting task to measure security efforts.

Here are a few KPIs you can use to understand if you are moving in the right direction...

Metrics for Motivation and Monitoring

Once you have basic metrics established within your team, you can begin to implement motivational activities to encourage employees to continue secure coding and development practices. Rewarding secure practices allows for the team to stay on top of security, and keep trained skills for security top of mind throughout the development process, at every point. There are various ways to encourage and empower developers through reward, recognition and motivation.

There are a few examples of how to implement security through reward. For example, when writing and reviewing code, the developer with the least amount of bugs and vulnerabilities wins a gift card of their choice. There are other opportunities for reward and recognition, such as penetration testing. Once the penetration testing is complete, the vulnerability report can be a good source of finding any root issues or causes, as well as strong points in your application. Once your team has undergone multiple penetration tests for their applications, you can include rewards when the team has a lower quantity of vulnerabilities with each test. Strong management support and encouragement of your developers are key parts to creating a successful and rewarding security culture.

If you want to read a more in depth analysis on the 101 of Application Security Training for Developers, click here.​​

Penetration testing is a one-time security exercise that tests the resilience of your application or network. It involves a team of white hack or ethical hackers who are hired to break into your application and find security vulnerabilities to exploit.

In this way, they do exactly what the bad actors would do when trying to access your application, except, penetration testers are ethical hackers. That means they’re ready to alert and inform you of vulnerabilities immediately.

Penetration Testing as a Service (PTaaS)​ is an extended, more comprehensive form of pen testing that provides year-round coverage. Whereas a one-time pen test is great for providing a baseline of your security posture, PTaaS will test your application multiple times per year, plus provide security consulting and fix verification testing throughout the year as well.

Penetration testing does more than just tests the resilience of your application or network, it trains your team via osmosis. At first, penetration testing can be seen as reactive, versus a proactive approach. Penetration testing is proactive, as your team will begin to understand the vulnerabilities within their application, and begin to implement practices so that similar vulnerabilities will not appear again. With each penetration test, your team will become more knowledgeable about the root issues, causes, how to fix them, and how to prevent them. Penetration testing allows your team to have access to ethical hackers, with their support by your team, and are happy to help and guide any developer in the process. PTaaS allows your team to build a strong working relationship with our ethical hackers, and will encourage secure coding alongside your penetration testing.

Want to learn more about penetration testing, click here​.

Extreme programming (XP)​ is an agile software development framework that aims to produce higher quality software and higher quality of life for the development team.

In 2003, one of the first controlled studies highlighted the benefits of extreme programming (XP) (Abrahamsson, 2003). This study showed how the XP technique improved accuracy by 26% and productivity by 12 locs/hour. And that was in 2003.

Today's development methods are considerably more efficient. Yet, they don't fully consider the role and importance of security. So, what's the point of an ultra-agile development process if it's just going to turn up bugs later, and then require the team to cycle back, patch, re-launch, etc.

A better alternative? Securing code as early as possible. Extreme programming aids in creating secure code by removing knowledge silos to increase team resiliency, collective code ownership that increases developer engagement with the project, reducing the incidence of bugs through continuous code review, efficiency gains through a short feedback loop, more representative of a live code review and increased learning and opportunities for communication.

While there are endless ways to integrate security into your SDLC, there are 3 main techniques.

1. Pair Programming
2. Continuous Integration (CI)
3. Test-First Programming

Continuous Integration is another great way to integrate security into the process through a set of security testing tools that are triggered automatically on certain events (pre-commit, pull request, etc). Test-first programming is another great way to integrate security early one where security-specific test cases could be added along with the functional tests. Regardless if you are choosing to use extreme programming or an alternative method, you can reflect on the options above to imagine how security can be best integrated into your SDLC.

If you want to read a more in depth analysis on the Extreme Programming (XP) Approaches, click here​​.​​

Training your team on security is one of the best ways to improve your overall security posture in your development.

At Software Secured, we have been working with software developers for over a decade and helping them gradually write secure code through secure code training, penetration testing as a service, threat modeling and secure code review. There are various ways to lead security-minded developers, here are some Software Secured’s recommendations to help transform your team.

• Software Secured Courses: There are a range of courses to suit beginners, intermediate and advanced engineering backgrounds.There are various options for language-specific and language-agnostic courses. Click here for more information on our courses.
• Penetration Testing as a Service (PTaaS): Year-round testing coverage for fast-growing SaaS companies that want to integrate security into their development pipeline. The main goals of PTaaS is to understand your security posture, and optimize and improve your security with continuous support and a solid working relationship. Click here for more information.
• Baseline Penetration Testing: A project-based SaaS security assessment ideal for proving application security to vendors, investors & compliance regulators. Our goal is to help you achieve a clean penetration testing certificate. We're available to answer your questions on securely patching issues. Click here for more information.

Did you know that Ontario Companies can save up to 83% off training and development costs? The Canada-Ontario Job Grant enables you to cover up to 83% of your training costs. Contact us​ or the COJG for more details.

It is our hope that this guide will serve as an inspiration and reference for the current best practices to ensure your developers are trained on security in their quest to develop reliable, sustainable, and secure networks, systems, and applications.

We wish you every success in your business and hope you achieve the growth necessary to exceed your goals.

If there is anything we can do to assist you with security in your development projects, we would be pleased to discuss your requirements with you. Our services include:

• Penetration Testing as a Service (PTaaS)
• Application Security Training
• Secure Code Review
• One-time WebSec, AppSec and IoT Penetration Testing options