When developing software for the eCommerce world, security should be of paramount concern. I’ve seen many companies who leave security considerations until just before launch, for some reason, and that is a practice that should be abandoned in favor of taking a more complete and integrated approach to developing and deploying secure software.
Security activates should begin before development. They should begin in the design phase of a project. When defining a user experience, either through wireframes or another method, not only are user input points being defined but potential security weaknesses are being defined. For example, having a list of all user text input points in an application is a starting point for where to test for places a hacker might try to enter unexpected text and exploit a SQL Injection attack among others. The quality assurance team members developing test scripts could also script basic security tests against these input points as an initial test of the code. You do have quality assurance folks involved in design developing test cases, right?
Secure coding should also be something discussed during code reviews. Making sure that all developers are familiar with secure coding techniques is an ongoing process that requires ongoing training just to keep up with what’s going on in the hacker world.
Security scanning and penetration tests should be built into the project schedule and not left as an after thought once the system is ready for deployment. Waiting until the last minute to perform either or both of these tests is inviting a delay to going live because of a security flaw. This is especially true in the case of online applications that must be PCI compliant.
Another aspect of security that is often overlooked by the development team is devops security. There are many facets to building a secure environment including network security, platform and component security. Without including the devops team in the security activities it is entirely possible to deploy wonderfully secure code on top of a web server that has a known security flaw. This instantly makes one’s wonderfully secure code rather useless in defending against potential threats.
In summary, take these three steps to integrating security activities to ensure the most secure application:
- Begin security activities during Design and develop potential hacker entry points and security test cases.
- Make adequate time in the project plan for security scans, penetration tests, remediation and rescans.
- Involve your devops team in the process to ensure platform and network security issues are not overlooked.
In today’s technology environment it is possible that a company can be very diligent about security and still suffer from a hack. Cyber criminals are creative and are always looking for new exploits. Having a security team is very important but can no more guarantee a hack-proof system than having a police force guarantees a crime free city. As the police are concerned with taking basic steps to ensure the security of the citizenry, a security team should be concerned with taking the basic steps to mitigate the risk of a hack – and they should be ready to respond to any new information on exploits that could compromise system security.