By: Tommi Makila, Senior Solutions Architect at Synopsys Software Integrity Group
Each and every company’s security needs are unique and ultimately the practices and policies related to such will be unique (or as I like to put it; it’s a journey). While best practices are a good start, you do need to take into consideration any unique threats in the particular sector your company is operating in and incorporate mitigations to these in your security practices.
It’s never a good security strategy to buy the latest security tool and call it a day. Software security isn’t plug-and-play. You need to invest in multiple tools along with focused developer training and tool customisation and integration before you’ll see a return on your security investment. So, before you get a tool that solves only a small subset of your security risks, take time to ensure that you have a solid software security strategy that includes these top 10 software security best practices.
1. Patch your software and systems
Many attackers exploit known vulnerabilities associated with old or out-of-date software. To thwart common attacks, ensure that all your systems have up-to-date patches. Regular patching is one of the most effective software security practices.
Of course, you can’t keep your software up to date if you don’t know what you’re using. Today, an average of 70% — and often more than 90% — of the software components in applications are open source. You need to maintain an inventory, or a software bill of materials (BOM), of those components. A BOM helps you make sure you are meeting the licensing obligations of those components and staying on top of patches.
It’s challenging to create a software BOM manually, but a software composition analysis (SCA) tool will automate the task and highlight both security and licensing risks.
2. Educate and train users
Employee training should be a part of your organisation’s security DNA. Having a well-organised and well-maintained security training curriculum for your employees will go a long way in protecting your data and assets. Include awareness training for all employees and secure coding training for developers. Do it regularly, not just once a year. And conduct simulations like phishing tests to help employees spot and shut down social engineering attacks.
3. Automate routine tasks
Attackers use automation to detect open ports, security misconfigurations, and so on. So you can’t defend your systems using only manual techniques. Instead, automate day-to-day security tasks, such as analysing firewall changes and device security configurations. Automating frequent tasks allows your security staff to focus on more strategic security initiatives.
You can also automate much of your software testing if you have the right tools. That includes, as noted in No. 1, maintaining a software BOM to help you update open source software components and comply with their licenses. With an SCA tool, you can automate a task that you simply can’t do manually.
4. Enforce least privilege
Ensure that users and systems have the minimum access privileges required to perform their job functions. Enforcing the principle of least privilege significantly reduces your attack surface by eliminating unnecessary access rights, which can cause a variety of compromises.
That includes avoiding “privilege creep,” which happens when administrators don’t revoke access to systems or resources an employee no longer needs. Privilege creep can occur when an employee moves to a new role, adopts new processes, leaves the organisation, or should have received only temporary or lower-level access in the first place.
5. Create a robust IR plan
No matter how much you adhere to software security best practices, you’ll always face the possibility of a breach. But if you prepare, you can stop attackers from achieving their mission even if they do breach your systems. Have a solid incident response (IR) plan in place to detect an attack and then limit the damage from it.
6. Document your security policies
Maintain a knowledge repository that includes comprehensively documented software security policies. Security policies allow your employees, including network administrators, security staff, and so on, to understand what activities you’re performing and why.
Also, it’s not enough just to have policies. Make sure everybody reads them. At a minimum, make that part of the onboarding process for new employees.
7. Segment your network
Segment your network is an application of the principle of least privilege. Proper network segmentation limits the movement of attackers. Identify where your critical data is stored and use appropriate security controls to limit the traffic to and from those network segments.
8. Integrate security into your SDLC
Integrate software security activities into your organisation’s software development life cycle (SDLC) from start to finish. Those activities should include architecture risk analysis, static, dynamic, and interactive application security testing, SCA, and pen testing. Building security into your SDLC does require time and effort at first. But fixing vulnerabilities early in the SDLC is vastly cheaper and much faster than waiting until the end. Ultimately, it reduces your exposure to security risks.
9. Monitor user activity
Trust, but verify. Monitoring user activities helps you ensure that users are following software security best practices. It also allows you to detect suspicious activities, such as privilege abuse and user impersonation.
Define key metrics that are meaningful and relevant to your organisation. Well-defined metrics will help you assess your security posture over time.
Best practices for better software security
As important as it is to have comprehensive tooling and tool-related processes to test your in-house developed (and possibly any 3rd party) software, it’s also vital to have a periodic practical verification of any implemented security practices, plans and policies themselves. For example, conducting disaster recovery or red teaming exercises. Even the perfectly designed and documented plans will have room for both errors and consequent improvement.
There’s no silver bullet when it comes to securing your organisation’s assets. But you can make your organisation a much more difficult target by sticking to the fundamentals. Following these top 10 software security best practices will help you cover those fundamentals. When you’re ready, take your organisation to the next level by starting a software security program.