Blog
A Recipe for Avoiding Software Failures
Have you ever baked something, only to see it fail due to the lack of a key ingredient? For instance, a cake will not rise if you add baking powder after you realize it was forgotten in the original ingredient list. The same is true for many failed endeavors. The addition of a critical component after the project is completed does little to improve the original plan. In many cases, it introduces unintended complexity that sets off a cascading series of problems.
As a security professional, you probably can name a list of software that was released too early, requiring so many revisions to correct the problems that the original intent was dwarfed by the patches. According to one source, software failures in 2017 resulted in losses that exceeded $1.7 trillion dollars. Of course, most of the failures were the result of security vulnerabilities.
Numerous documented failures in IoT devices abound as well. From vulnerabilities in internet-connected light bulbs , medical devices , and smart locks , it all starts to add up to a larger problem; loss of consumer confidence. In some cases, selling a product that does not work as described can result in severe consequences . Too often, the reason for many of these failures is a result of “the rush to market”. Just as haste to bake a cake can result in an overlooked ingredient, the need to bolt on security after a product release can cause in an equally embarrassing flop.
Frequent patches to fix a problem is also rather awkward. Patching is such a disruptive process to most organizations, that it is sometimes ignored. Even more disruptive is the unfortunate consequence of a patch that is not effectively applied , as was the case in the infamous Equifax breach.
Is there a way to prevent failures brought about through rushed design processes? It depends on many factors, but one that is sure to bring better results is by working with a Certified Software Lifecycle Professional (CSSLP). A person with the CSSLP credential is trained in both understanding, and a practical approach of building security into all phases of the software development lifecycle (SDLC). Just as baking a cake requires more than a compilation of ingredients, a trained software security lifecycle professional knows the factors beyond programming that can result in more secure software from inception, to release and response.
Mis en Place
“Mis en Place” (pronounced: Meess ehn plahss) is a cooking term which means having everything prepared and in place before you begin. This is true with your SDLC. The earliest part of any development plan must include the security basics. Whether your team is using a Waterfall, Agile, or other development model, they all must start with an organized assessment of the requirements, not only from an expectation of the end-product, but also of the security that is required. A failure to adequately plan can end up costing more in time and money to fix at later stages. This phase must be carefully plotted, and, if done well, carefully adhered to. As chef Anthony Bourdain once remarked “Don’t mess with my mis.” A person who has achieved the CSSLP credential has the qualifications to plan correctly to avoid many of the pitfalls that may appear.
Make Sure That All Your Pans and Utensils Are Clean
Few things are scarier than food poisoning. Food poisoning is estimated to affect more than 48 million people every year in the United States. Most of the time, food poisoning is caused by bacteria, rather than a result of contaminants in the food. Likewise, your SDLC can suffer contaminants as the design phase progresses. Inadequate threat modeling can result in overlooked problems that can cause defects along the entire development chain. This can be just as damaging to the final product as poisoning your dinner guests. Threat modeling is part of the core material which a CSSLP candidate must understand.
Preheat The Oven
As the ingredients are gathered, and the sanitized equipment is set up, the oven should be pre-heated. This is important because when the wet and dry ingredients are mixed, various chemical reactions start to occur, which, if left too long, will negatively affect the final product. This is equally true of the implementation phase of the SDLC. This is where all the parts start to come together and must be checked against the rest of the system into which the software will be integrated. Everything must be absolutely ready and set, and all contingencies must be checked and monitored.
Does The Skewer Come Out Clean?
During the course of baking, testing is vital to a finished product, lest your creation be labeled “half-baked.” One way to test a cake is to poke it in the center with a thin skewer or toothpick, and if the rod comes out clean, the cake is done. Testing and verification are essential prior to release. Depending on the type of software, different testing methodologies are required to get a full sense of the security of the product. In the Waterfall Model of software development, testing is considered one of the most important phases. Think about how damaging it would be if your efforts are branded as “half-baked,” especially from a security perspective.
The Taste Test
After all is done, the cake has cooled, and all looks perfect, the moment of truth is when the cake is tasted. This is the release and response phase of an SDLC. In the case of a finished cake, there is little that can be done to save it if it tastes bad. You can only try to fix it next time. In software development, responses to the finished product can be received and evaluated towards making improvements. Rarely does the entire project end up in the garbage. If all the previous steps are followed, the result may not be perfect, but it will be flexible enough to withstand remediation. Understanding and diligently applying the phases of an SDLC can make sure that a product, even one with an urgent requirement to market can be as secure as possible.
To learn more about building security into all phases of the SDLC, read our white paper, How to Reap the Benefits of DevSecOps .
How The CSSLP Can Help You Succeed
If you are a security professional looking to increase your knowledge of all aspects of software security principles and practices, the CSSLP credential offered by (ISC)² is the perfect means to gain the required understanding and skills for this important facet of information security. The CSSLP credential gives you the skills you need to function at the highest levels of software security, from design, through development, evaluation, and all other security considerations. This certification also shows your employer that you possess specialized knowledge and dedication in the vast and growing field of information security.