Zechariah Akinpelu, Chief Information Security Officer (CISO), Unity Bank PLC.
Due to our need for rapid digitalization to make our work eager, malicious hackers are launching various new forms of cyberattacks. As such, it is crucial to protect our applications. Building a highly cyber-resilient application involves implementing strategies that help the application withstand cyberattacks and quickly recover from incidents caused by them.
Building a cyber-resilient application requires an essential comprehension of security standards. Proper security should ensure the confidentiality, integrity and availability of information within a business. This should all happen with the end goal of empowering business operations, but to do so requires an understanding of the risks associated with doing business digitally. To achieve all-around security, these practices must be embedded into the software development life cycle (SDLC).
Where should businesses start with this process? The following are some high-level steps that you can follow to build a cyber-resilient application:
1. Conduct a risk assessment. A risk assessment helps identify possible threats and vulnerabilities in your application. This will help you prioritize the most critical risks and develop a strategy to mitigate them. There are different standards that can be leveraged based on your organization.
2. Practice threat modeling. Threat modeling is the process of predicting all potential threats to an application and the vulnerabilities that the application has. Threat analysis, however, focuses on how an attacker could take advantage of a vulnerability to exploit a system’s resources or sensitive data.
3. Implement a defense-in-depth strategy. A defense-in-depth strategy involves implementing various layers of security controls such as a zero-trust architecture, the least privilege principle, microservices, multi-factor authentication, runtime application self-protection (RASP), firewalls, web application firewalls (WAF), anti-DDoS solutions, intrusion detection systems and access controls. This strategy helps prevent attackers from exploiting vulnerabilities in your application.
4. Implement security by design. Implementing security by design involves considering security requirements throughout the development lifecycle. This approach ensures security is built into the application from the beginning and is not an afterthought. Security testing should be implemented at various stages of the SDLC, as informed by the Open Web Application Security Project (OWASP). OWASP testing frameworks define various activities that should take place before development begins, during definition and design, during development, during deployment and during maintenance and operations.
5. Use secure coding practices. Write secure code using industry best practices such as input validation, output encoding, error handling and proper session management. Make sure to use secure coding standards and frameworks such as OWASP Top 10, SANS 25 and Carnegie Mellon Software Engineering Institute CERT Secure Coding Standards.
6. Conduct regular security testing. Conducting regular security testing to identify vulnerabilities and weaknesses in the application is very crucial. This can include penetration testing, security code reviews and vulnerability assessments.
7. Implement an incident response plan. A cyber incident response plan outlines the steps to take in the event of a security incident. This includes identifying the incident, containing the damage, investigating the cause, restoring normal operations and outlining lessons learned from the incident.
8. Train your employees. Educate your employees, especially those on the development team, on security best practices, how to recognize and respond to security threats and how to protect sensitive data. This includes regular security awareness training and phishing simulations.
To build a cyber-resilient application, adequate risk assessment and threat modeling need to happen. Also, security needs to be embedded in all the phases of SDLC because it will cost more to achieve a secure application after deployment. Remediation of some vulnerabilities might require time and effort—or even decommissioning the whole application if there is no adequate planning. You may also have to wait until an application goes live to see those vulnerabilities. In those cases, a robust incident response plan should be in place to help you deal with them.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
Read the full article here