Cyber security was the topic rage at the DeveloperWeek Conference in San Francisco (Feb. 12 – 18). If you missed the conference, read on for cyber security tips and warnings. If you are hiring a freelancer, or software development shop, be on the lookout for security pitfalls such as post-development security add-ons and plug-ins as opposed to integrated security.
Believe it or not, some freelance developers and shops are procrastinating when it comes to security integration – partly because this is one of the most challenging, sensitive, and expensive parts of the software development cycle.
According to Bob Loihl, Senior Software Engineer and Secure Software Development Expert for Tripwire, if developers “… put off implementing access controls in the system because it’s hard and expensive, it is an indicator that [they] have missed or downplayed important project requirements.”
Following are tips to maximize your software outsourcing without sacrificing security:
- Do your own research to understand what security elements your product uniquely requires. Some features are common to most projects. However, your specific software product could require features not available in all products. Request these elements at the outset.
- Require security development in the project contract. If it is not in writing, you may receive a product without critical elements. Make Security part of the development plan built into the software architecture.
- Ask security questions before and throughout development. Ask the developer about methods used for security implementation, valid method testing, what contingencies counteract a breach, and how remote access shuts down in case of emergency. Loihl says, “With so many resources available today from static code analysis to pen testing, there is no excuse for not understanding the security profile of a product before it ships. In addition, there are good organizations out there like OWASP, SAFECode, BSIMM and others that can help you understand how to build out a security program.”
- Follow up with your developer regularly to keep the project on track and verify that security integration progresses parallel to development. Security lumped into final lines of code creates software vulnerable to attacks.
- Specifically require proven security features from established experts. Reject newly coded or hidden security elements proprietary to the developer. Your product needs to meet industry security standards in order to avoid vulnerabilities.
- Ensure that your organization will be able to restrict access to the software product independently, without “permissions” from the developer. The development contract should clearly state that you own full access upon completion of the product.
- Be sure that the developer makes you or your organization the admin controller upon delivery of the product. Believe it or not, administrators have purchased software products only to find that they do not have the proper privileges to accomplish higher user tasks.
- Hire copy editors to review your software help files and user guides. Poorly drafted procedures leave software users frustrated. Exasperated users are often willing to experiment with your product’s default settings. Faulty configurations cause security loopholes. If your clients connect to your network for cloud computing or other services, they may present vulnerabilities from their system to your servers.
- Host community beta testing of your secure software product before releasing it for sale or public use. Do this in addition to stress testing and other organized trials that your developer completes and or that your organization conducts internally. Community beta testing gives you a snapshot of how users relate to your product in addition to creating buzz among your potential customers.
- Take caution in inheriting other developers’ library components. Integrating a faulty library causes your product to inherit security mistakes of another developer.
If your organization is considering software outsourcing, seek a professional provider. At the Radial Development Group, we work with you to develop a technical strategy to achieve the business goals for your product, with security as priority #1. For software development done right, contact us today.