Cyber Security and Software Development

Underlying software development errors can result in the software crashing which causes significant problems for the end users, including but not limited to — loss of time, money and business reputation. Many cyber security threats arise from software development defects that are exploited by cybercriminals.

Organisations face budget and time constraints which is the contributing factor in accelerating a software release. As a result, rigorous software testing process is compromised to facilitate stakeholder demands. In a number of cases, the quality assurance timeframe for testing is drastically rolled back to meet rigid deadlines.

Another cause for concern is linked to various enterprises opting to buying commercial off-the-shelf products without considering associated cyber security risks.

Importance of Software Testing

Implementing a rigorous software testing strategy can assist in detecting high severity and priority issues. Involvement of the software testing team at an early stage of the software development process can assist in enriching the application quality.

Early detection of the software bugs is equally important to reduce business costs. However, problems arise when compromises are made on software quality assurance. Cybercriminals are accustomed to targeting any software that is released with outstanding defects.

What is more important network or application security?

For years the cyber security industry has been predominantly focused on network security to prevent adversary threats by fortifying and setting in depth network security. More recently, a shift in pattern has been detected where the cyber security focus has altered towards improving application security, driven by the rise in web application cyber threats.

Cybercriminals are targeting web applications to exploit vulnerabilities missed by developers or the software testing process. Cloud applications and open-source content management systems have paved the way for the existence of websites in their multitude, however many of these websites are susceptible to cyber attacks.

Correcting errors made by developers is more of an arduous task which cannot be marked as fully completed despite extensive testing. On the other hand, network security may withstand malicious attacks through the implementation of strong cyber security measures.

What are the skills-gap challenges?

Unfortunately most information security engineers are not experts of software development and may have little to none coding knowledge. Similarly, software developers are not trained to consider cyber security while developing their products.

Usually, a software developer is heavily invested in developing a product that will meet the broader end user requirements within the set deadlines. The delivery of the product is the end goal which occurs at the expense of overlooking efficient cyber security measures.  

What are negative software development practices?

Where software development is concerned there are a whole host of malpractices that are leading to cyber security compromises. However, one major error made by software developers is copying or borrowing code from others which essentially means copying security flaws.

Copying code without verifying cyber security vulnerabilities within the code is allowing cybercriminals to have a far-reaching impact with a small number of exploits.

What is better security testing of application or improving software development practices?

The software development industry is overly-focused on releasing software and profoundly reliant on security testing of the application post-release. However, this approach is dangerous and can have long-lasting implications for a business if the vulnerabilities are discovered early by adversaries.

The reasonable and more logical approach would be to invest on improving software development practices and to attune the developer mindset to focus on cyber security. Application security should be considered early as part of the wider software development lifecycle.

What is the solution for bridging the gap between poor software development and improving cyber security?

To enhance the software development process emphasis is required on teaching developers how to write code which is secure. An organisation may invest in tools and training material that encourages development with a cyber security mindset and promotes secure coding practices.

16