By the turn of the century, information technology had already grown to become one of the most influential business drivers in the history of humanity. There is hardly an aspect of modern business that now does not interact with technology in one form or another. Information technology encapsulates a combination of servers, network devices, computer systems, communication equipment and software applications. Software applications form an integral part of enterprise operations, especially those that impact the way the business scope of the enterprise is stored and maintained. In recent times, enterprises continue to suffer various levels of security breaches due to vulnerabilities and flaws in software applications and network functionality. As a result, it has become necessary for controls to be put in place to ensure adequate security of business operations and ultimately, enterprise profitability.
Factors affecting the security of software applications
There are several factors affecting software application security and most of these are scoped in the way the information technology world has evolved over the years. Some of these factors include:
- Most software developers are focused solely on operational functionality of the software and as such may not think about security beyond password access.
- Very few information security professionals are in the business of software development.
- Historically, security was not always a major factor during the system development life cycle (SDLC).
- The computing society have become used to receiving software applications with bugs, holes and flaws and then applying patches or updates to fix these problems later.
- Due to the high level of competition in the software development market, software vendors are engaging in fast-paced development without allocating necessary resources to security and are rushing these packages to the market.
- Security is inversely proportional to operation, the more security controls there are in an application, the more usability suffers. There is need to balance security and user-friendliness. This need is technically tasking and most application developers shy away from it.
- In the early days of software programming education, academic curriculum did not cover security and as such it was not captured as a necessary part of software application development training.
- A lot of inexperienced application developers were engaged in projects due to the shortage of skilled hands at the time. Experience in software application development helps the programmer avoid traditional mistakes.
The enterprise is also partly to blame for this problem. In the early days of information technology awareness and adoption, the computing environment was just on the desk with little or no interaction with the outside world. This made the enterprise engage in cost cutting exercises and most CEOs actually felt that the threats that were being presented in the development quotes were not just out there. Today however, we benefit from the strengths and opportunities provided by connecting computers within the enterprise and on a global scale through the Internet. Along with this comes the threat to the security of the enterprise and the weaknesses in the software applications that we use.
Considerations for Securing Software Applications
Environment: The environment where the software application is intended mostly determines the level of security that needs to be put in place. If the software is going to be run on a stand-alone system, the burden of securing it will be lighter than if it were meant for a networked environment or the Internet. Failure to scrutinize environmental factors while considering security controls may have far reaching negative consequences.
Functional Requirements: A software application with complex functions will require more security controls than one with simple functions.
Programming language, Data Types and Formats: The buffer overflow problem in the C programming language caused quite a stir in the application development world because it made software developed with this language vulnerable. Programming language, data types and formats needs to be carefully considered.
Default State: It is important to note that a secure software application should default to “NO ACCESS”.
Failure State: For example, during a failure or an unexpected system outage, a secure software application should require the user to login when the system comes back on. Recovery from a failure state should default to “NO ACCESS”.
Software Application Controls
Controls are necessary to ensure adequate security of an enterprise software application. These controls can be preventive, detective or corrective in nature. Controls can be classified as follows:
Administrative Controls:These are controls driven by company policies and procedures that employees must follow and are in-line with the organisational objectives. Below are some examples:
- Separation of duties: This ensures that critical and sensitive enterprise operations are split into units to guarantee that one user cannot start a process on an application and be the same to complete that process. The principle of separation of duties is preventive in nature.
- Security awareness training: This ensures that the application users are trained and informed on best practises, in order to guarantee the on-going security of the application. Training can be in the form of an educative email to the users or an outright training program with a technical facilitator. This is also preventive in nature.
- Rotation of duties: Rotation of duties is simply changing the personnel on a job area with personnel from within the same department, division or enterprise that has the skills and capability to do the job. This exposes the new personnel to any problematic practises by the previous personnel on the job. This is both preventive and detective in nature.
- Compulsory leave: This guarantees that an employee goes on leave as a mandatory requirement so that the job can be handled by another employee. This also helps expose jobs that have not been properly done or shady practices if any, by the employee on leave. This encompasses all three controls.
Physical Controls: These controls ensure that the information system of the organization is not availed by people without authorization.
- Identity badges: This assures that an employee carries an ID card or badge given by the company to identify them at any point. It also helps to control unauthorized access to areas where undue interference with software applications can be accessed.
- Mantrap doors: This is a like a closed little passage that is now commonly used at the entrance of banking halls. The mantrap doors do a full body scan with metal detectors to ensure that unfriendly tools or weapons are not allowed within the premises.
- Turnstiles: These are used to further prevent unauthorized access as most turnstiles require some means of identification and authorization in order to grant access to the premises.
- Security guards, alarms and locks: A security guard may be put at key locations as additional controls. This may be necessary because sometimes there may be need to take initiative and this cannot be obtained with computerized systems. Alarms that trigger in case of a break in and locks needs to be in place for sensitive locations, like the data centre of an organization.
Technical Controls: These are controls that make use of technology as a basis for controlling access and usage of an information system. Some examples of technical controls are:
- Internet Firewalls: These help minimize the exposure of the network to external attacks.
- Internet proxy servers: They act as an intermediary between the network and the Internet. They also provide a layer of protection for machines on the local network by making them anonymous to the Internet.
- User authentication: Passwords, tokens and biometrics are some authentication tools that can be deployed to improve the security of software applications.
- Antivirus software: This is most popular technical control in place today and is often misconceived as being the ultimate security protection for software applications and networks. On the contrary, the best antivirus software cannot guarantee more than 10% of the total security required for enterprise operations. Imagine an employee has the best antivirus software running on their laptop, but they forget to retrieve it from back seat of the taxi on their way home; the security threats to that laptop are severe.
- Audit trails: These are a strong fault detecting tool for securing software applications. Auditing should be a requirement for any serious enterprise software application; this provides logs of users and system activities that can be traced back for answers during the investigation of an incident or a fault on the software application. If a software application does not keep audit trails then it is not fit for deployment in the enterprise.
Security and SDLC
Security needs to be embedded in the various stages of the SDLC. From the Project Initiation stage, statements like “security of all data, information and operations in this software application should be ensured” will have to be injected, so the software application developer is already aware of the organizational security expectations. Security also needs to be an integral part of the Functional Design Analysis and Planning stage. This is actually the stage when the software application functions are determined and it is very important to confirm that the design accommodates security principles. There are other key areas, but the most important are the stages involved with the actual development and testing. Testing should safeguard that worst case scenarios are used to enable the developer to identify and close out any vulnerability. The software also needs to be implemented with adequate controls in place and proper analysis should be done to ensure that the principles of separation of duties and the rotation of duties are among other administrative controls. Maintenance hooks should be avoided when the software goes live, as are backdoor or covert channels. Disposal of the software application must also be done securely, as it may contain very sensitive information that may fall into the hands of competitors.
Security and Change Management
A change management procedure should be in place to guide changes in software application from one version to another. Any change, no matter how small, needs to be verified and validated to ensure assurance and quality. This will help avoid embarrassing situations in the production environment that would be discovered during the change management process. Inadequate change management can affect the availability of a software application if the changed function is not working as expected. Confidentiality can also be breached if the change carried out negatively impacts the data classification facility. The integrity of the system may also be in question if the data stored in the system is at variance with the same data when retrieved at a later stage. Top management approval and sign off is very important to ensure that the change has been escalated to the point where the likely impact on the objectives of the business would have been considered and a decision to buy in or opt out is made.