Security-By-Design: Or… Better Safe Than Sorry!

Security-By-Design: Or… Better Safe Than Sorry!

James Crossland

Digital Marketing Manager|Kerv digital

Published 06/07/22 under:

Have a question?

Get in touch

Far too often security is the final afterthought of a Digital Transformation project

 

Software Developer: “I’ve built this really cool ‘feature’; now I must make it secure!

Security ArchitectFacepalm!

 

Sound familiar?

You may have come across it in your own Digital Transformation project or, (hopefully not) been a victim of this kind of thinking further down the line when it was far too late to do anything truly effective about it without spending a fortune in time and resources retrofitting a new solution.

That’s where one of Kerv Digital’s guiding principles come in… Security-By-Design.

 

In recent years it’s been good to see that Security-By-Design has started to gain a lot more prominence, becoming a mainstream development approach for many that aims to make a system secure from the very start, rather than scrambling to patch up vulnerabilities as they’re noticed, either at the end of a project or worse, during during a breach.

It’s an approach to software (and hardware) development with a stated aim of making a system as free from vulnerabilities as possible; ideally making it impervious to attack through measures such as Continuous Improvement (or in Kerv Digitals parlance, Build Future), Continuous Testing, multifactor authentication safeguards and strict adherence to software development best practises.

 

Sounds great doesn’t it?

Unfortunately, Security-By-Design is still very much in its infancy, with many developers still only giving it a passing acknowledgement.

Far too often at Kerv Digital, when speaking to new clients, our software developers come across the same security errors and vulnerabilities time and time again.

 

Does this mean software developers are just lazy by nature? Or incompetent?

Of course not!

 

The problem is often one of culture and what various, different departments are held accountable for.

When starting a project, the development team will be asked to build a ‘feature’ and all their time and effort will likely go into making that ‘feature’ as great as possible.

Often security won’t be an issue till long after the ‘feature’ has gone live, so it receives little attention in development stages.

 

You see the problem that Kerv digitals founders saw a long time ago though don’t you?

That’s no way to future proof a business – or Build Future as we say here.

What Is Security-By-Design?

Security-By-Design is the opposite of Security-After-The-Fact.

Security-By-Design is defined as an approach to software development in which security is built into the system from the very beginning.

When considering a Digital Transformation project, a company that prioritises Security-By-Design (*cough, Kerv Digital, cough) will create software that’s been built from the ground up to be secure.

A risk led approach will favour considering, adapting, rejecting, testing and finally optimising multiple, different, security controls and then ensuring only the very best are built into the project’s architecture throughout its design, whilst being used as guiding governance by the software developers involved. With each new release or patch that comes after that, the security of the release and how it interacts with the system as a whole will be a primary concern.

 

You see, Cyber actors/Cyber criminals are lazy.

They’ll always target organisations that offer them up the path of least resistance.

That means, when attacking a system, they’ll likely use well known and predictable tactics, tools and patterns, known in the industry as reusable techniques.

Any Security Auditor worth their salt can apply security controls to combat these threats against a system by utilising approaches such as enforcing multifactor authentication, authorization, confidentiality, data integrity, privacy, accountability, safety and non-repudiation requirements for if/when your organisation comes under attack.

 

Think of it as though you’re building a bank if you like…

Of course, you want a beautiful building, with gorgeous architecture to attract clients but you don’t just say “oh… we’ve built it now, better throw a padlock on the front door”.

When building it you construct foundations that can’t be tunnelled through, walls that are blast proof, all entrances covered by hi-tech security and a great big, state of the art vault in the middle of the building.

That’s the real difference between Security-By-Design and Security-After-The-Fact.

Why Is Security-By-Design Important?

Well, as already mentioned, the obvious answer to that question is a system built to Security-By-Design principals is much more secure… by several orders of magnitude in fact.

And, although that’s a great reason, it’s not the only one…

 

Security-By-Design will actually reduce your overall costs and mitigate many future risks.

Think about the last project you were involved in.

We’re willing to bet that the last month or so is where you faced the most budget and time constraints.

Right?

Ask yourself… Is that really the best place to be considering the security of your entire system and organisation? (You don’t need to answer that by the way, the answers pretty obvious).

 

A Security-By-Design system will always end up with more resilient than a hastily added patch at the end of a project as, by implementing security measures in a step by step process throughout the project, you allow your designers to identify security flaws as they go, enabling them to quickly, easily (and cheaply) fix them, rather than having to overhaul the entire project at the end.

Identifying security related bugs early means they can be on the lookout for similar flaws, preventing further problems in the build process, or worse production.

 

Finally, the last point many forget when building a new system is that it isn’t an ‘end-goal’ in of itself. It will continue to organically grow, adapt and evolve over time as your organisation does.

If you’ve taken a Security-After-The-Fact approach then any future modifications to your system may well invalidate your entire security protocol without you even realising it, creating new risks for your organisation as well as multiple opportunities for malicious cyber actors.

That doesn’t happen with a Security-By-Design approach as your security is an inherent part of the system, not a bunch of controls stuck on around the edges.

Building A Culture Of Security-By-Design

All the above is well and good but skips over the most important step of all, building a culture of security within your organisation.

It has to start with a positive relationship between those commissioning the project and those building it, with everyone’s goals and values being aligned from the off.

 

Security-by-design breaks down traditional development/security silos, making security part of everyone’s role, which means everyone is both empowered and responsible for delivering a secure solution. Tony Leary – Kerv Digital, Chief Information Security Officer

Related Articles

You might also be interested in

From our world to yours

Going Beyond The Theory: Kerv Digital & The DVSA

From our world to yours

Life @ Kerv Digital As A Performance Analyst

From our world to yours

Four ways to defend against Cyber Criminals attempt to infiltrate Contact Centres

From our world to yours

Microsoft Cloud For Nonprofit: Fundraising & Engagement

From our world to yours

Kerv Group brings rich, actionable insights to bear on improving performance management...

From our world to yours

4 ways to integrate your Contact Centre and CRM to deliver brilliant...

From our world to yours

Kerv Digital 2022 Wrap-Up

From our world to yours

Life @ Kerv Digital As A Recruitment & People Analytics Manager

From our world to yours

CX Translate Opens the Door to International Understanding in Cross-Border Contact Centres

From our world to yours

Cloud Confessions: Q&A with CTO on Communications Compliance

From our world to yours

Helping With Hackathon Fundamentals

From our world to yours

Kerv Digital & Microsoft Solutions Partner Designations

From our world to yours

Life at Kerv as a Billing & Operations Co-Ordinator

From our world to yours

Deciphering Digital Transformation

From our world to yours

4 Things to Bear in Mind About Microsoft Teams Policy Based Recording

From our world to yours

Understanding EX: Achieving the utmost from workforce engagement management (WEM)

From our world to yours

Working Wellness: More Kerv Digital Benefits

From our world to yours

Cloud is not a destination

From our world to yours

How SD-WAN enables service provider flexibility, enhancing connectivity and reducing cost

From our world to yours

Taking the guesswork out of managing your future bandwidth demand

From our world to yours

Application Performance: User Experience

From our world to yours

Rapid Site Deployment and its Impact on Retail Profitability Across Store Locations

From our world to yours

Why your network infrastructure is key in mergers and acquisitions

From our world to yours

Data Platform Pragmatism

From our world to yours

Will SD-WAN really save money and why you must take a proper...

Have a question?

Leave your details and a member of the team will be in touch to help.
By pressing send, you agree to our Terms and Conditions and Privacy Policy.
This field is for validation purposes and should be left unchanged.