False Economies Sabotage Product Development

Short-Term Savings, Long-Term Disaster: Neglecting Securitys Impact in Product Development

Software is eating the world.? Right now, your doorbell is probably arguing with your toaster about an IP address.? The Internet of Things (IoT) marches onward to the future, perhaps in dangerous ways.? Most product development companies deal with software or cyber-physical systems and face an ever-escalating gauntlet of security challenges. All company’s security issues are unique.? Fortunately, a common principle can be applied to remedy all.? ‘Building Security In’ is undoubtedly the principle to adopt.? Yet, product development companies stumble now facing an old nemesis, believing in false economies.? This perverse reasoning has an infamous track record. ??Here are some examples of false economies.

Lessons Learned, Again

A false economy is a decision that appears to save time or money in the short term but ends up costing more time and resources in the long run. These decisions are usually characterized by an initial perceived efficiency or savings, which are overshadowed by the negative consequences. ?Here’s an abridged catalog of common enough misjudgments:

?

Skimping on Quality Assurance (QA) and Testing

• Short-Term Saving: Reducing investment in QA and testing to speed up development.
• Long-Term Cost: Leads to a higher incidence of bugs and issues in production, which are more costly and time-consuming to fix later.

Neglecting Technical Debt

• Short-Term Saving: Ignoring technical debt to deliver features faster.
• Long-Term Cost: Accumulated technical debt makes the codebase harder and more expensive to maintain, eventually slowing down development and leading to instability.

Underestimating or Eliminating Documentation

• Short-Term Saving: Minimizing time spent on documenting code and processes.
• Long-Term Cost: Without adequate documentation, new team members spend more time understanding the system, and knowledge transfer becomes inefficient.

Opting for the Cheapest Solutions

• Short-Term Saving: Choosing the cheapest tools, services, or labor without considering quality.
• Long-Term Cost: The initial savings can be overshadowed by the costs of poor performance, lower productivity, loss of market share, or the need for replacement.

Overlooking Employee Training and Development

• Short-Term Saving: Cutting costs on training programs for development teams.
• Long-Term Cost: Leads to a skills gap in the team, reducing the ability to innovate or efficiently solve problems, which can stifle project progress.

Rushing to Release

• Short-Term Saving: Pushing for premature releases to meet immediate business objectives.
• Long-Term Cost: Launching a product before it’s fully ready can harm the user experience, brand reputation, and require significant resources to fix post-launch.

Avoiding User Feedback

• Short-Term Saving: Skipping user testing or feedback sessions to speed up the development cycle.
• Long-Term Cost: Without user input, the risk of building a product that doesn’t meet market needs or user expectations increases, potentially leading to failure.

Cutting Corners in Design

• Short-Term Saving: Limiting time and resources on design to focus on development.
• Long-Term Cost: Poor design can lead to subpar user experience, affecting user retention and the overall success of the software.

?

Addressing these false economies requires a balance between short-term gains and long-term goals, ensuring that cost-saving measures don't compromise the overall quality and viability of the product. Today, false economies also jeopardize product security.

False economies Subvert Security.

So let’s add to our list of false economies.? Presently product security runs the false economies gauntlet.? Here’s a bit more twisted logic and a host of consequences:

Failing to Build Security In

• Short Term Saving: Limiting time and resources on security to focus on development.
• Long-Term Costs: Weak security creates multiple streams of challenges here are a few:

Data Breaches

• Implication: Unauthorized access to sensitive data, leading to loss of confidentiality, integrity, and availability of data.
• Cost: Direct financial losses from remediation efforts, legal fees, fines for regulatory non-compliance (e.g., GDPR, CCPA), and compensation to affected parties. Indirect costs include increased insurance premiums and investment in post-breach security measures.

Loss of Customer Trust and Brand Damage

• Implication: Customers lose trust in a company's ability to protect their personal and financial information.
• Cost: Loss of current and potential customers, decrease in sales/revenue, and long-term damage to the brand's reputation which can take years to rebuild.

Legal and Regulatory Consequences

• Implication: Non-compliance with data protection and privacy laws.
• Cost: Significant financial penalties from regulatory bodies, legal battles, and the cost of achieving compliance post-incident, which is often higher than proactive compliance.

Operational Disruption

• Implication: Cyberattacks like ransomware can halt operations, causing service downtime.
• Cost: Operational and productivity losses, potentially requiring payment of ransom (which does not guarantee data recovery), and costs associated with restoring services and data.

Intellectual Property Theft

• Implication: Loss or compromise of proprietary information, trade secrets, and other intellectual assets.
• Cost: Competitive disadvantage, loss of market position, and costs related to intellectual property (IP) theft litigation.

Increased Security and Remediation Costs

• Implication: Need to address vulnerabilities and strengthen security posture after an incident.
• Cost: Investments in security technologies, hiring of security experts, and implementation of more stringent security measures and policies.

Impact on Shareholder Value

• Implication: Publicly traded companies may see a decline in stock price following a security breach.
• Cost: Immediate loss in shareholder value and potential long-term impact on stock performance.

Employee Impact

• Implication: Morale and productivity can suffer in the wake of a security breach.
• Cost: Costs related to increased turnover, training new staff, and potential litigation from affected employees.

?

Building Security In

Though misguided notions of a false economy erode Security, modern product development can, ‘Build Security In’ cost effectivly.? The foundational practices of Continuous Integration (CI), Continuous Deployment (CD), and DevSecOps can streamline development workflows, enhance product quality, and integrate security throughout the product development lifecycle.? What's the way?

Continuous Integration (CI)

CI is a product creation practice where developers frequently merge their code changes into a central repository, ideally multiple times a day. Each merger triggers an automated building and testing process, allowing teams to detect and fix integration errors quickly, improve software quality, and accelerate the development cycle. Security can be checked during continous product creation, even if only a nominal set of Security tests are run. This lowers rework when issues are found on Deployment.

Continuous Deployment (CD)

CD extends CI by automatically deploying all Product changes to a production or (production like) environment after the build stage. This means that besides integration and testing, the deployment process is also automated, enabling a seamless flow from code commit to deployment. Quite extensive “after the fact” security testing may then be run versus the newly built (proposed to become live) environment. White Hat hackers can continously engage in Rsik Baxed and Exploratory security testing.

DevSecOps

DevSecOps integrates security practices into the CI/CD pipeline. It ensures that security considerations are an integral part of the product development process from the outset. It's about breaking down the silos between Product Management, Software Development, Quality Assurance (QA), User Experience (UX) / User Interface (UI) Design, Technical Support, Marketing, Sales, Human Resources (HR), Finance, Legal, Customer Success, and Security. It’s about optimizing the whole with security in mind.? The entire team developing a comprehensive catalog of security tests to run is both the initial and a continuous task. There are many great resources to help.

Building and Buying Your Catalog of Security Tests

?

It is entirely feasible and desirable to create some custom Security tests.? Ideas about these abound. The SANS Institute, in collaboration with MITRE, develops the CWE/SANS Top 25 Most Dangerous Software Errors list, a comprehensive guide highlighting the most critical programming errors that can lead to serious software vulnerabilities. This initiative is part of a broader effort to address software security issues by identifying common errors that developers make, which can compromise security. The list is instrumental for developers, security professionals, and organizations to understand and mitigate vulnerabilities effectively. It includes errors such as Out-of-Bounds Write, Cross-Site Scripting (XSS), SQL Injection, and many others, each ranked based on factors like prevalence, severity, and the potential impact on security. Additionally, the CWE (Common Weakness Enumeration) website, maintained by MITRE with support from the US Department of Homeland Security's National Cyber Security Division, offers detailed descriptions, prevention, and remediation steps for each error listed in the Top 25, along with information on over 700 additional software errors.

For more information on the Top 25 Most Dangerous Software Errors, visit the SANS Institute and the CWE website:

?

SANS Institute

CWE Top 25 Lists

• 2021 CWE Top 25 Most Dangerous Software Weaknesses
• 2022 CWE Top 25 Most Dangerous Software Weaknesses
• 2023 CWE Top 25 Most Dangerous Software Weaknesses

?

The OWASP Top 10 is an authoritative guide that outlines the most critical security risks to web applications, developed and maintained by the OWASP Foundation, a worldwide not-for-profit organization dedicated to improving the security of software. The foundation is known for its openness, with the community being at the heart of its projects. The OWASP Top 10 reflects a broad consensus about the most critical security risks to web applications. It is updated periodically, with contributions from security experts around the world who provide data, insights, and feedback. The 2021 edition, for example, introduced new categories and updates based on a blend of contributed data and the insights garnered from the OWASP community survey, showcasing a concerted effort to balance historical data with emerging trends in application security. The process for updating the OWASP Top 10 continues to be inclusive, and data driven. For the 2024 edition, the OWASP Foundation plans to collect data and contributions during the early part of 2024, reflecting the ongoing commitment to leveraging the collective expertise of the security community. This approach ensures that the OWASP Top 10 remains a relevant and practical resource for addressing current and emerging web application security risks.

The OWASP Foundation's role extends beyond curating the OWASP Top 10; it serves as a central resource for technological knowledge, tools, and methodologies related to software security. It operates under an open community model, where anyone can participate and contribute to OWASP projects and initiatives, reinforcing its mission to make software security visible so that individuals and organizations can make informed decisions.

For more information on OWASP and its projects, including the OWASP Top 10, you can visit the official OWASP website.? Between SANS and OWASP alone it becomes apparent that there are many avenues needing defense.

Security Tools

Security applications are another tool in the defense arsenal.? In the world of software and application security, many tools are available to professionals aiming to detect vulnerabilities, ensure adherence to security standards, and bolster overall security measures. These tools span various methodologies, including static application security testing (SAST), dynamic application security testing (DAST), and interactive application security testing (IAST). Here's an overview of several popular security testing tools:

1.????? SonarQube - Known for continuous inspection of code quality and security, identifying bugs, and security vulnerabilities within the codebase. Supports multiple languages and integrates seamlessly with CI/CD pipelines.

2.????? Fortify by Micro Focus - Offers SAST and DAST solutions, covering a broad spectrum of programming languages and frameworks. It's designed to fit into the SDLC for early vulnerability detection.

3.????? Checkmarx - A SAST tool recognized for scanning uncompiled/unbuilt code and detecting security vulnerabilities across various coding and scripting languages, including mobile app security.

4.????? Veracode - Delivers a cloud-based service encompassing SAST, DAST, and software composition analysis (SCA), aimed at enabling secure software development at high speed and scale.

5.????? Burp Suite - A suite primarily offering DAST capabilities, providing a comprehensive web application security testing solution, including both automated scanning and manual testing tools.

6.????? OWASP ZAP (Zed Attack Proxy) - An open-source DAST tool by OWASP, designed to find security vulnerabilities in web applications during development and testing.

7.????? Qualys - Offers cloud-based security and compliance solutions, including vulnerability management, compliance monitoring, and web application scanning, known for its extensive scanning capabilities.

8.????? Coverity - A Synopsys tool, Coverity stands out for its SAST capabilities, offering deep, full-path analysis to uncover vulnerabilities in both proprietary code and open-source components. Coverity is designed to integrate into the SDLC, providing fast feedback to developers and aiding in the quick remediation of detected issues.

?

Each tool has unique strengths, catering to specific stages of the product development life cycle or types of applications. It's common practice for organizations to employ a mix of these tools to establish a comprehensive security posture that adequately covers the full spectrum of their application inventory.

?

We must attend to security.? ‘Build Security In’ to the entire product development lifecycle.? It’s malpractice not to!

?