Wondering how to choose a secure software development company in 2022? Let’s find out.
The hit book “Seven habits of highly effective people” sold 25 million copies worldwide and was translated into 40 languages. It was a success because it encapsulated a list of just seven things that you could do to achieve prosperity; these seven habits included gaining an understanding of an environment and being proactive. Similar habits of proactive security and understanding the threat landscape should be best practice security within a software development company. This objective of best practice security is especially important as many software developers prefer to work within a home or remote environment; one that may be more difficult to secure as it is outside the bounds of the corporate network.
Here is a look at the most important factors, that extend to home working, when searching for a secure software development company.
Software Development Company Bad Practices that Lead to Security Risk
Software developers love to work flexibly; as a group, software developers embraced the whole work from home ethos long before the Covid-19 pandemic. A 2019 Salary Survey from Dice found that 73% of tech pros viewed home working as an “important perk” of the job. Back then, less than half of employers offered remote or home working as an option to software developers. Since the pandemic, however, home working has taken on new proportions. The GitHub 20221 Octoverse survey, which interviewed over 12,000 software developers, found that only 11% of them expect to go back to working in an office, post-pandemic.
The expectation that as a developer, you can work from home, impacts the security posture of a software development company, and could ultimately increase the risk of its customer base too. Working from home has known security air gaps, for all companies, and software development companies are no exception. The typical work environment of a software developer is often less constrained than other workers. Software developers may need to use many more tools that expand the potential attack surface. Or they may communicate through collaboration tools or online portals and share sensitive information, including credentials, in an insecure manner. A 2015 account compromise hack is an infamous example of this. The accounts were compromised because developers left Slack account tokens on GitHub when they shared projects. The tokens allowed anyone to access Slack teams, where they were then able to obtain database credentials, sensitive private messages, and passwords.
Any poor security practices of a software developer can lead to not only an internal security event but can impact customers too.
The Software Development Company as a Supplier
Poor security at a software development company can have a wide-ranging impact. It is not just the companies themselves that are one of the areas that makes software development companies especially vulnerable to cyber-attacks is their position in the supply chain. Supply chain attacks are increasing, and software can offer an ideal delivery mechanism for malware. This was the case with the SolarWinds SUNBURST cyber-attacks of 2020.
at risk of data loss and IP exposure. Software companies can be used to target a wider audience, namely, the software development companies’ customer base.
Software development companies are part of a wider supply chain. The vendor supply chain has become a focus of cybercriminals in recent years. An ENISA (European Union Agency for Cybersecurity) study into supply chain attacks found that in 66% of cases, supply chain attacks focused on the supplier’s code.
This scenario played out in one of the most significant cyber-attacks of recent years, the SolarWinds SUNBURST attack. The attack likely started with compromised Office 365 accounts, with the most likely culprit for this initial attack point being a phishing email. From there, the hackers escalated privileges to then allow entry to the IT networks of SolarWinds. Then, the attackers were able to insert the SUNBURST malicious code into the SolarWinds Orion Platform software. The result was that SolarWinds customers received a malware-infected software update. The SUNBURST malware created a backdoor that allowed the cybercriminal gang behind the attack access to an infected company’s networks. The infected update was delivered to around 18,000 customers around the world including tech companies and government organizations.
Effective Security Strategies of a Software Development Company
Risk mitigation through a proactive and positive security posture is a key requirement of any highly effective business. A positive security posture is no less important at a software development company than at any other company that has sensitive data and intellectual property to protect. Software companies must develop a secure development environment to ensure that IP, sensitive data and information, and code-based vulnerabilities, do not affect themselves or their customers.
The following cybersecurity elements are a must have in any software development company that extends to home working software developers. The baseline home working security strategies for developers should include:
A Zero Trust approach enforces verification of a person or device when an access request to a resource occurs. Within a Zero Trust environment, certain technologies are used to perform this enforcement, including identity and access management (IAM), robust authentication including multi-factor credentials, and endpoint security technology. Employee monitoring also provides an important part of a holistic Zero Trust environment.
Ensuring that employees are working effectively and securely is a key part of maintaining a positive security posture. Well-designed employee monitoring tools help to monitor and maintain a Zero Trust environment, unobtrusively. Employee monitoring tools are designed to work outside of the corporate perimeter and so are ideal for software developers who work from home. As well as preventing insider threats, employee monitoring provides the intelligence to optimize the rules of a Zero Trust implementation. This ensures that any administration level accounts, typical of software developers, are being used correctly.
Zero Trust is intrinsically linked to DevSecOps, which is a discipline that merges security, development, and operations into the software development life cycle (SDLC). Security then becomes a shared responsibility of all, across the SDLC. Some of the key features of a DevSecOps-enabled secure software development environment include:
- Regular training of developers in security awareness – including good security hygiene such as not sharing digital certificates or passwords in code repositories and collaboration tools
- Threat modeling to identify code-related or SDLC vulnerabilities
- Robust access control, including least privilege policies
- An employee monitoring tool to spot insider threats (both accidental and malicious)
- Threat response models that can be used to quickly deal with incoming threats
- An incident reporting tool that developers can report issues for triage
- Use of security and monitoring tools that detect vulnerabilities across the SDLC
Keeping software developers happy is important in maintaining an effective development team. However, a software development company must offset this choice of work environment with robust security measures to ensure the company and customers are secure. By using certain security strategies, including Zero Trust and employee monitoring, even the less constrained and home working environments needed by developers can be as secure as if they were within the corporate network.