Security for multi – layer technologies IEEE Computer Society

The IEEE Computer Society team

In 2013, Yahoo! suffered a data breach that revealed 3 billion – not a million, billion – data records. At the heart of this and other costly violations are vulnerabilities. As was the case with Yahoo !, even the biggest players can ignore important weaknesses in their set of technologies. As a result, software developers need to be especially careful, especially because otherwise a secure system can be compromised by a solution for which the development team is responsible – ruining the reputation and stifling revenue. However, while using the software concept as a multi-layered technology, you can systematically reduce or eliminate vulnerabilities. Read on to learn how.

Want more technical news? Subscribe to ComputingEdge Newsletter today!

How software as a multi-layered technology and security intersect

Some may gravitate towards taking security to a simple delay, such as: “Here’s what we did. However, by using the principles behind the multi-layered look of software, you can prioritize security and improve and maintain it throughout the development lifecycle.

Key element: Quality

Identifying security as part of the quality assurance element of software as a multi-layered technology puts it first and foremost at the heart of your development process. One of the advantages of the multi-layered look of the software is that each principle is constantly repeated at different points in the development process, especially the quality. Incorporating security as a quality standard forces your team to re-evaluate the security of your application over and over again at various stages.

How to include security in every phase of development

Whether you use Agile or a waterfall to manage your development, the basic elements of the life cycle are usually the same:

• Planning and conceptualization
• Design and architecture
• Execution
• Testing and debugging
• Product launch and maintenance

Here’s how you can incorporate security principles and features into each phase:

Planning and conceptualization

In the planning and conceptualization phase you can:

• Define security objectives for the project by asking questions such as “What types of threats are most likely to be imposed on this application and how can we stop them?”
• Identify relevant compliance standards. These may include the Health Insurance Portability and Accountability Act (HIPAA), the General Data Protection Regulation (GDPR) and others.
• Organize a list of what your application will need to meet its security goals in accordance with technical and regulatory standards.
• Provide training for developers and others involved in the project. It is best not to assume that they have the necessary knowledge, and eliminating gaps at an early stage can prevent problems in the future.

Design and architecture

During the design and architecture phase you can:

• Use threat modeling to identify surfaces and attack techniques.
• Evaluate project documents by looking for potential security issues in the application code and infrastructure.
• Pay special attention to third-party applications that may introduce vulnerabilities, either because of their own weaknesses or because of the way they interact with your application.

Execution

During the deployment phase, programmers do the actual coding of the application. To include security in this critical phase, you can:

• Provide a list of common mistakes that programmers should avoid, such as incorrectly providing unencrypted passwords.
• Use static scan tools to review freshly written code and identify vulnerabilities before including it in the application as a whole.
• Manually review the code for vulnerabilities. This may take some time, but a manual scan may reveal problems that the automated system is not programmed to identify.

Testing and debugging

Instead of just testing the app to see how well it works during this phase, you can also check it for vulnerabilities. To do this, you can:

• Use the Dynamic Application Scanning Tool (DAST), which simulates hacker attacks. You can reduce the number of false positives by using Interactive Application Security Testing (IAST) tools. With DAST combined with IAST, you identify not only the vulnerability but also its source.
• Fuzz test your app, which includes generating random inputs and seeing how the app holds up.
• Use the intrusion test, which is when you invite a team of third-party security professionals to simulate attacks on your application.

Product launch and maintenance

Once the product is up and running, you need to ensure that customers enjoy a safe experience. While it can be difficult to control who upgrades to newer, more secure versions of your app, there are some things you can do to improve security, such as:

• Monitor the entire ecosystem of the attack application.
• Create an incident response strategy that outlines what your security team will do if the application or its infrastructure is affected by different types of attacks.
• Perform continuous security checks.

You protect your product, its users and users’ devices by taking these steps. You also protect the reputation of your organization and its development team, while maximizing the end-user experience. To keep up with the latest developments, tools and strategies in the field of cybersecurity, you can contact the IEEE Computer Society. As an association of professionals in the latest technology, the IEEE Computer Society is a dynamic resource for the latest and greatest technological insights. See how by signing up for a newsletter.