Security-By-Design: Or… Better Safe Than Sorry!
Digital Marketing Manager|Kerv digital
Published 06/07/22 under:
Far too often security is the final afterthought of a Digital Transformation project
Software Developer: “I’ve built this really cool ‘feature’; now I must make it secure!
Security Architect: Facepalm!
You may have come across it in your own Digital Transformation project or, (hopefully not) been a victim of this kind of thinking further down the line when it was far too late to do anything truly effective about it without spending a fortune in time and resources retrofitting a new solution.
That’s where one of Kerv Digital’s guiding principles come in… Security-By-Design.
In recent years it’s been good to see that Security-By-Design has started to gain a lot more prominence, becoming a mainstream development approach for many that aims to make a system secure from the very start, rather than scrambling to patch up vulnerabilities as they’re noticed, either at the end of a project or worse, during during a breach.
It’s an approach to software (and hardware) development with a stated aim of making a system as free from vulnerabilities as possible; ideally making it impervious to attack through measures such as Continuous Improvement (or in Kerv Digitals parlance, Build Future), Continuous Testing, multifactor authentication safeguards and strict adherence to software development best practises.
Sounds great doesn’t it?
Unfortunately, Security-By-Design is still very much in its infancy, with many developers still only giving it a passing acknowledgement.
Far too often at Kerv Digital, when speaking to new clients, our software developers come across the same security errors and vulnerabilities time and time again.
Does this mean software developers are just lazy by nature? Or incompetent?
Of course not!
The problem is often one of culture and what various, different departments are held accountable for.
When starting a project, the development team will be asked to build a ‘feature’ and all their time and effort will likely go into making that ‘feature’ as great as possible.
Often security won’t be an issue till long after the ‘feature’ has gone live, so it receives little attention in development stages.
You see the problem that Kerv digitals founders saw a long time ago though don’t you?
That’s no way to future proof a business – or Build Future as we say here.
What Is Security-By-Design?
Security-By-Design is the opposite of Security-After-The-Fact.
Security-By-Design is defined as an approach to software development in which security is built into the system from the very beginning.
When considering a Digital Transformation project, a company that prioritises Security-By-Design (*cough, Kerv Digital, cough) will create software that’s been built from the ground up to be secure.
A risk led approach will favour considering, adapting, rejecting, testing and finally optimising multiple, different, security controls and then ensuring only the very best are built into the project’s architecture throughout its design, whilst being used as guiding governance by the software developers involved. With each new release or patch that comes after that, the security of the release and how it interacts with the system as a whole will be a primary concern.
You see, Cyber actors/Cyber criminals are lazy.
They’ll always target organisations that offer them up the path of least resistance.
That means, when attacking a system, they’ll likely use well known and predictable tactics, tools and patterns, known in the industry as reusable techniques.
Any Security Auditor worth their salt can apply security controls to combat these threats against a system by utilising approaches such as enforcing multifactor authentication, authorization, confidentiality, data integrity, privacy, accountability, safety and non-repudiation requirements for if/when your organisation comes under attack.
Think of it as though you’re building a bank if you like…
Of course, you want a beautiful building, with gorgeous architecture to attract clients but you don’t just say “oh… we’ve built it now, better throw a padlock on the front door”.
When building it you construct foundations that can’t be tunnelled through, walls that are blast proof, all entrances covered by hi-tech security and a great big, state of the art vault in the middle of the building.
That’s the real difference between Security-By-Design and Security-After-The-Fact.
Why Is Security-By-Design Important?
Well, as already mentioned, the obvious answer to that question is a system built to Security-By-Design principals is much more secure… by several orders of magnitude in fact.
And, although that’s a great reason, it’s not the only one…
Security-By-Design will actually reduce your overall costs and mitigate many future risks.
Think about the last project you were involved in.
We’re willing to bet that the last month or so is where you faced the most budget and time constraints.
Ask yourself… Is that really the best place to be considering the security of your entire system and organisation? (You don’t need to answer that by the way, the answers pretty obvious).
A Security-By-Design system will always end up with more resilient than a hastily added patch at the end of a project as, by implementing security measures in a step by step process throughout the project, you allow your designers to identify security flaws as they go, enabling them to quickly, easily (and cheaply) fix them, rather than having to overhaul the entire project at the end.
Identifying security related bugs early means they can be on the lookout for similar flaws, preventing further problems in the build process, or worse production.
Finally, the last point many forget when building a new system is that it isn’t an ‘end-goal’ in of itself. It will continue to organically grow, adapt and evolve over time as your organisation does.
If you’ve taken a Security-After-The-Fact approach then any future modifications to your system may well invalidate your entire security protocol without you even realising it, creating new risks for your organisation as well as multiple opportunities for malicious cyber actors.
That doesn’t happen with a Security-By-Design approach as your security is an inherent part of the system, not a bunch of controls stuck on around the edges.
Building A Culture Of Security-By-Design
All the above is well and good but skips over the most important step of all, building a culture of security within your organisation.
It has to start with a positive relationship between those commissioning the project and those building it, with everyone’s goals and values being aligned from the off.
Security-by-design breaks down traditional development/security silos, making security part of everyone’s role, which means everyone is both empowered and responsible for delivering a secure solution. Tony Leary – Kerv Digital, Chief Information Security Officer