Security challenges in software development

With the time i spent at Medic ACME gave me an insight into the workings of a rising software development company. All the items i am presenting here are already presented to the Medic ACME management, as Pro Bono work on my other engagement.
So, with their consent, i would like to present my conculsions. In the rush to achieve a good brand and reach the heights of profitability, any typical software development company has the following characteristics:

Get things done mentality – “This will be the largest contract in the history of our company. We must be prepared to deliver in 2 weeks/2 months. So get it working ASAP. A variant of this monologue is very frequent in most software development companies. Anyone telling you different is either lying, or not working as a developer for a living.
Tremendous workforce capacity – Regardless of race, gender or religion, the average developer/engineer is highly intelligent, technologically savvy, usually very up-to date with technical advances, and due to the high pace of technology, a person willing and able to learn new things in very short periods of time.
Frequently mixed duties – since the workforce has excellent capacity, it is quite often that the developers/engineers are given additional duties other then development.
Significant technical resources at hand – The developer/engineer has ready access to significant computing power and software tools, both in the form of a local workstation and server infrastructure.
Onsite delivery – Of course, while the product is still in the proverbial shop, and sales cannot invoice something that is not delivered. The delivery can take on several insecure forms
  • The product can be sent via E-mail - not encrypted and digitally signed
  • The product can be published on a Web portal or FTP server, again, not encrypted and digitally signed
  • The product can be burned on a CD and sent via some form of courier service without protection from possible stealing or tampering
Maintenance and support in various forms – The second and/or third level of support for a software product falls on the shoulders of personnel from the development company. This gives access to:
  • Error logs or crash dumps from the product which failed at the customer’s site, which usually contain a wealth of highly confidential information (usernames, passwords, confidential records etc)
  • Depending on support contract access to the customer’s test or production servers remotely, opening the possibility to be suspected of information theft or tampering
Inherently, the organization of a software development company presents the following security challenges
  1. The pressure to create a functional product with short deadlines can lead to development decisions which may prove extremely insecure in everyday usage of the product
  2. The pressure to solve issues in maintenance and support can lead to untracked and undocumented direct modifications of software or database schema at customer premises.
  3. The created product will be used at client’s premises – a security problem with the product can have dire implications on the customer’s business, as well as on the reputation of the software development company
  4. Although rarely absolutely necessary, an overwhelming majority of developers have full administrator/root privileges on their local computer and sometimes even on their coworkers computers
  5. Although never necessary, and always very dangerous, a vast majority of developers share the administrator/root account of development servers, databases and sometimes even network elements like routers and firewalls
  6. To reduce costs and optimize hardware utilization, the internal operations databases, business support systems, internal confidential file stores and the like are often supported and maintained on the same systems that house the development environments or databases.
  7. To achieve minimal headcount and maximal utilization of personnel, the infrastructure maintenance is often delegated to personnel who are also developers
  8. Proper and complete control over mobile devices is rarely instituted. With the access to most of the company’s information, an employee can easily transport an entire product source code, contract details or business plan outside of the company
These challenges can cause significant amount of security risks on a daily basis.
I will follow through with the discussion of the risks in my next posts.


Related posts
Personal Data Protection - Anonymizing John Doe



6 comments:

sunitha said...

Get the things to be done here.......
Software Development Company

Bozidar Spirovski said...

To sunitha
I would appreciate a bit more details on your comment. I am not familiar with the referred company.

Nancy said...

Hi,

Excellent article - I really appreciate your blog and knowledge about "Security challenges in software development", I have bookmarked it for later viewing and forwarded it on.
Software Development Company

Cheers.

Bozidar Spirovski said...

Thank you for the kind words. If you have a suggestion on it security or strategy topic you would like analyzed, please post a comment or send an e-mail

clerisy said...

I am surfing in the net and found your blog so interesting..I am looking forwards for more update about web development services .... nice blogg...:)

clerisy said...

Interesting post.Its so interesting. I know lot of things from this site. So i want to know some other details about this web development company
. Thanks.

Designed by Posicionamiento Web