Following up on my post about security challenges in software development , i would like to present the risks that arise from these challenges, as well as short introduction on the preventive measures to mitigate such risks.
- Security flaws of the deliverable product – the most feared of risks and usually one with most dire consequences. The product THE principal source of reputation and income for the company. At the same time, the product is the tool that a customer uses to manage his information and data. A security flaw in the delivered product can result in loss of integrity, confidentiality or availability of customer’s information. Any one of these results would mean loss of client, loss of reputation and even legal action against the development company.
- Security flaws of the maintenance and support methodology – This risk takes on two forms
a) INSIDER FACTOR – a security breach at customer's premises by an employee of the software development company involved in the maintenance process.
b) OUTSIDER FACTOR – a security breach by an outside attacker who gained access to the customer’s premises by compromising the network infrastructure of the software development company
It is quite clear that in this risk, the insider factor carries most of the risk weight. It should be duly noted that in this risk, the responsibility is mostly shared with the customer, since the customer should also implement security measures to mitigate and hamper such a risk.
- Security flaws of the delivery method – the third level of risk in the product. Given that all is perfect with the actual developed product, improper delivery can expose the product to possible tampering by “man in the middle”. This tampering, even if later proven to have happened outside of the development company, would not clear the development company of all wrongdoing, since the creator of the product didn't perform analyze the aspects of risk in transit.
- Security Flaw in technical infrastructure – a risk which can cause great amount of problems, but which is easiest to identify, albeit sometimes expensive to remedy. A security flaw in the infrastructure can result in:
a) Access, theft or intentional corruption/destruction of business critical data or information by employees
b) Accidental loss or corruption of business critical data or information
c) Outside hacker attack
- Security flaws in operations practices – a risk which is can cause the same results as the previous point, but is much more difficult to identify, but usually much cheaper to remedy, since it requires change in procedure, not capital expenditures
Information security corrective measures
To mitigate the risks presented in this post, the following overall measures should be developed and implemented. The description of these measures merits the attention of a dedicated post, and they will be treated accordingly. Insofar, here is a brief summary
- Top management must accept the philosophy of information security and actively sponsor, support and promote security. Also, they must be the first to fully adhere to all defined security procedures and rules.
- The software development company should define precise guidelines for security in operation, development and maintenance, supported by top management:
a) Security in the product must be set-up and implemented from the initial design and architecture. If this isn’t the case, security flaws will be abundant, and security patching will become a never ending firefight
b) The infrastructure and privilege levels within the company need to reflect security policy
c) All security incidents must be tracked from start to end, documented and communicated to appropriate levels within the company.
- The employees must be regularly reminded that information security is one of the basic missions of the company; A regular security awareness and training program must be instituted for all employees, starting with employment and ending with the exit interview
Talk back and comments are most welcome