Using secure software development frameworks to build better software
Secure software development frameworks (SSDFs) provide companies with a ready set of effective practices for delivering more secure software. While valuable for any software development organization, they are especially important when building web applications that need to stand up to constant attack attempts.
Your Information will be kept private.
Your Information will be kept private.
- Do-it-yourself security practices often leave security gaps that can be exploited.
- Existing secure software development frameworks integrate best practices for developers to follow.
- Dynamic application scanning tools can supplement the benefits of a secure software development framework.
IT organizations that have experienced malware attacks originating in the compromise of one of their systems frequently “find religion” and commit themselves to securing their in-house software development processes. However, they are challenged by how to go about infusing security into their development processes in a way that is both effective and maintainable within existing cost and time constraints.
Some IT organizations fail to view this as a holistic problem and instead apply a patchwork of practices that they hope will strengthen their defenses. But without the requisite experience, do-it-yourself security can leave significant gaps that the next set of bad actors will surely exploit.
A more effective approach is to apply an integrated set of practices designed by experts and borne of the experience of many other IT organizations. Such a secure software development framework (SSDF) is an important element in resistance to attacks, especially those targeting web applications.
Frameworks and standards in software development
IT organizations in regulated and safety-critical industries (such as healthcare, the military, and so on) are accustomed to developing software within the confines of a formal development framework. The most well-known of these is surely ISO 9001, which defines an auditable set of practices for quality management systems. To obtain ISO 9001 certification for their software quality management, a development group must implement the relevant practices, which, in turn, are audited to verify compliance with the standard’s various provisions and requirements.
IT organizations that prefer a less rigorous and formal process but still want the benefits of a framework for software development can turn to the Capability Maturity Model (CMM). Like ISO 9001, it prescribes various integrated practices to deliver repeatable software quality.
Within industries, many standards exist that prescribe specific requirements for software, such as ISO 13485 for medical devices and DO-178C for aviation software. While they vary depending on the industry, all such standards are the product of industry experience, are integrated, and greatly influence the software development processes they apply to.
Note that the term “integrated” in this context means the practices prescribed by the frameworks are integrated with each other, dovetailing and frequently overlapping. This integration of guidelines ensures that software will meet the specified objectives without gaps in coverage. As I describe in the next section, this is a key element of security frameworks.
Secure software development frameworks
While the frameworks mentioned above focus on software quality and safety, the reality of constant attacks on web applications has forced IT organizations to recognize that security must also assume a prominent role in development frameworks.
Organizations can easily slip into the misperception that implementing a series of stand-alone security practices will be enough to resist attacks. For example, you might decide to enforce encryption for all data for one of your sites, but if that’s the only action you take, it will still leave the site vulnerable to many forms of attack beyond data exposure. Likewise, you might enable HSTS to mandate SSL connections for all your web apps – a crucial best-practice step but still only a narrow protection.
Because it’s difficult to know all of the possible forms of attack, organizations are well-served by using an industry framework purpose-designed to cover all bases against bad actors. These SSDFs weave the experience of many organizations into a cohesive set of practices that makes it far more difficult for attacks to succeed.
The most widely known SSDF is published by the US National Institute of Standards and Technology (NIST). Known simply as SSDF 1.1, the framework addresses four principal areas of development:
- Prepare the organization: Ensure that the organization’s people, processes, and technology are prepared to perform secure software development.
- Protect the software: Protect all components of the software from tampering and unauthorized access.
- Produce well-secured software: Produce software with minimal security vulnerabilities in its releases.
- Respond to vulnerabilities: Identify residual vulnerabilities in software releases and respond appropriately to address them and prevent similar vulnerabilities from occurring in the future.
As this list demonstrates, SSDF 1.1 covers more than good development practices; it also reaches into areas ranging from the software component supply chain to an organization’s responsiveness.
SSDF 1.1 is actively maintained by government agencies and industry contributors. For example, the 1.1 version released in 2022 contains provisions that reflect the dangers of software supply-chain hacks as highlighted during the 2020 SUNBURST attack on U.S. government facilities.
The benefits of using an SSDF
As previously mentioned, an SSDF provides a comprehensive, integrated framework by which an organization can improve its protection from attacks in the software development life cycle. By committing to using an SSDF, the development organization can be fairly certain there are no obvious gaps in protection – that is, any known gaps have been remediated. No surprise, the work of malicious hackers is to find unknown gaps, which, of course, can’t be remediated beforehand. However, a framework that is regularly updated will stay current with known threats and provide robust protection against many forms of attack.
An important aspect of using frameworks is that they can be adopted progressively. They are a set of interleaved practices that organizations can integrate with their existing processes and gradually come to a full implementation of the framework. By detailing a specific set of best practices, an SSDF answers developers’ questions about what more they can do to enhance the security of their processes.
Security beyond an SSDF
While an SSDF can greatly improve the resistance of software developed in-house to attack, it is not designed to cover the larger organization. For that, other frameworks exist, such as the NIST Cybersecurity Framework, among others. For organizations looking for an auditable security standard, ISO 27001 provides a wide-ranging information protection standard. A common recommendation in all these frameworks and standards is that security-oriented processes should be automated to the maximum extent possible. Automation helps to avoid human error and allows for running security-related processes as frequently as necessary.
One crucial process to automate is a regular examination of running web apps with an eye to identifying vulnerabilities, unpatched software, and overlooked assets that can provide an easy entry point for attackers. Dynamic application security testing (DAST) provides a way to do this. A modern DAST tool such as Invicti can run on a predefined schedule to regularly verify that your dynamic web environment has no detectable vulnerabilities for bad actors to exploit.