Staying one step ahead of cyber attacks - Building secure applications: the Secure Software Development Lifecycle (SSDLC)
11 October 2022
Hackers are energetic innovators, constantly developing and changing their methods and expanding their cyber attack capabilities. They relentlessly target business critical applications on web and mobile devices, looking for weaknesses. They want to access data, to launch ransomware attacks, to misuse infrastructure for their own purposes or simply to disrupt the target’s continuity of service through (D)Dos attacks. But what does this mean to us at iO as application creators?
It means we need a broad range of reliable strategies to stay ahead of these security threats.
How do we find the balance between attack prevention and acceptable risk?
At iO, we create applications for a wide range of clients with a broad scope of security breach risks. Security threat mitigation is time consuming, because it demands time and expertise from web architects, developers and testers. They need time to find, analyse, develop and crucially, to test threat mitigation.
The initial costs can be a significant part of the development budget, but when you’re talking about secure development, early stage investments are always less costly than the measures you’re forced to take when bugs emerge later in the process.
The earlier in the development process you guarantee security, the more efficiently you can build secure applications. Secure Development has to be an integral part of every step in a project and process to work effectively. To be part of the fabric. That's why iO's Secure Software Development LifeCycle (SSDLC) is designed to be just as end-to-end as our market proposition is.
Finding the right balance
Experience informs practice at iO. We deliver the right balance between investment in attack prevention and acceptable risk (= chance x consequence). In collaboration with our clients, we assess what kind of data is processed and stored in the system. This data is used to anticipate the negative consequences of a data exposure, both for the users and the client itself, in terms of fines and reputational damage. Risk exposure is classified using the CIA rating triad (Confidentiality, Integrity and Availability, see here for more information) and PIA (Privacy Impact Assessment).
These evaluations are always carried out in close collaboration with our clients, and are used to set the risk classification of the project to Low, Medium or High, which in turn influences the controls we select from the Secure Software Development LifeCycle and the level in which we implement them.
Secure Software Development LifeCycle the unshakeable foundation in all safe applications
To provide our teams with the right tools to prevent, detect, mitigate and respond to security bugs, iO created our own Secure Software Development LifeCycle.
What is the iO SSDLC?
An SSDLC is a set of policies, best practices, tools and processes that address different challenges faced by developers at every stage of the development lifecycle. An SSDLC gives developers a structured way to think about and address the security impact in every stage of the development process.
The iO SSDLC covers 9 distinct stages of development ((Pre-)sales, Governance, Training, Requirements, Design, Implementation, Verification, Release and Operations). Every stage has controls that connect with 1 key security element. This can be a point of concern, an investigation, a (mandatory) action to create, or to give the client advice.
The classification of the level of risk in the system (Low, Medium, or High) determines exactly which controls have to be included and at which level. For Low risk developments we use a minimal set of basic controls, High risk includes all controls implemented on the highest level and Medium risk includes enhanced basic controls according to need.
Let’s explain a little bit more about how we build highly secure software
Here are a few examples of SSDLC controls:
iO developers receive periodic secure development training. They learn about the latest and most commonly used attacks and how to defend against them in their specific expertise. They are trained in generic office security (like locking laptops, closing doors, etc), authentication techniques (like OAUTH/OIDC, securing JWT tokens), how to use (the latest) security headers properly, language specific Cross-site-scripting mitigation, securing APIs, validation and encoding, and the likes.
Secure development guidelines
iO developers follow secure development guidelines and best practices and we are testing auto-testing as much as possible.
Formulating security requirements
We collaborate with our clients to determine their system’s security requirements.
Where needed, we use threat modelling to identify potential threats, attacks, vulnerabilities, and countermeasures that could negatively impact our client’s businesses.
Security risk rating
Every solution is given a security risk rating. This rating is key to deciding which controls we will implement.
We check our work by doing peer reviews, static code (SAST) and dynamic application (DAST) application testing.
All third party libraries are periodically monitored and kept up to date using best of breed tools to automate as much as possible. We also keep on monitoring after go-live.
(External) PEN test
Even though iO performs our own security tests using our selected tooling, PEN (penetration) tests are carried out by an independent party. We can help find the right partner, and actively assist the testers. We then resolve issues revealed by the PEN test, or consult with the client to assess their tolerance for acceptable risk.
Debugging and Proactive monitoring
Proactive monitoring of the system and proper logging, monitoring and alerting during both the production and development helps with finding issues in time debugging issues.
The iO SSDLC: a programme of constant improvement
This is just a small subset of the controls in the iO Secure Software Development LifeCycle. In total, our SSDLC consists of 34 controls at time of writing, divided over the 9 development stages. The control set is constantly improving because they’re part of every project, and this means they are in a state of permanent review. Next to that, our dedicated expert group is keeping track of new developments in the secure development and devops domains. It only gets better.
Ultimately, our goal at iO is to deliver web applications and mobile apps that are consistently secure and keep our clients ahead of the cybercriminals.
Ready to get started with secure development?
Our experts can’t wait to tell you more about how we ensure security in the development process at iO.
Owin GrutersTechnology Director | iO
As Technology Director, Solution Architect and Azure Expert, Owin supports the realisation of the technological ambitions of iO and its clients. By relying on his knowledge of solution architecture, development, Azure cloud, DevOps, business, and security, he connects stakeholders within both (inter)national projects as well as iO's own development processes.
- In the beginning of this year, we launched the Opportunity report 2023. A collection of visions and insights from our experts to help you get the most out of the new year. On the 9th of March during the Opportunity online live event we brought these insights live to an interested audience to speak and discuss how to ‘Accelerate your business in 2023’. In this article, we’ll share the key takeaways from Raymond’s session with you - just a few of the many ways modern technology plays the part of enabler for digital transformation.Read more
Data insight in the public transport sectorLinking data sources by registering personal and credit card data on an online portalLook at this client story
Customer Data Platforms (CDP)A Customer Data Platform collects your customers’ data and is mainly at home in the more ‘mature’ marketing departments of the organisation. A CDP combines customer data from different platforms and hands it back to you in a 360° package. This whitepaper illustrates how a CDP gets assembled, where its added value lies CDP can be for your organisation and which conditions best serve a CDP.Read more
MACH - how do you know if it's right for your business?Microservices, API-first, Cloud-native SaaS and Headless have secured their place in the business world. These concepts have existed in their own right for some time and are already fairly well known, but the umbrella term MACH is new. Will it soon be mentioned in the same breath as Cloud and SaaS? And when will it be worth investing in it? Find out in this white paper.Read more
Headless systemsA headless platform offers a lot of new possibilities for companies. It fits into a digital landscape that connects your customers with your business processes. But what exactly does it mean? And can your company handle the complexity of headless systems? In this white paper we will separate the facts from the fiction and guide you through your first steps in the headless world.Read more
The Enterprise Service Bus (ESB): is it still around?Applications and end users of applications require specific information, usually provided by apps such as for banking or shopping. The origin of the information shown in these apps is an underlying source system or a set of systems that compares and merges information. Many financial enterprises focus on providing clients with a modern app, which are, however, often cursed with a legacy system from the 1980s or even older as their information source. Consultant Rudy van Haandel explains the role that integration solutions such as an Enterprise Service Bus (ESB) and API Management can play in these situations.Read more
Do Progressive Web Apps still have a future?The life of Progressive Web Apps (PWAs) started in 2015. They promised to close the gap between web and native apps by progressively enhancing current web apps with new API’s and features like the ability to work completely offline. While big players like AliExpress, Flipkart and Forbes have introduced PWAs in the past, they still have their apps and are not planning on abandoning them anytime soon. Did the technology come to a halt? Are PWAs still relevant? Should you still invest time and effort in creating and maintaining PWAs?Read more
Flexibility and a shorter time-to-market with container technologyToday, structural IT decisions often require substantial investments, but they are also more important than ever when it comes to achieving your business objectives. The right vendor choice is not only important in terms of set-up and implementation, it is also essential to remain future-proof. Scalability and flexibility are necessary for the continuity of your business and structural IT decisions you make are the basis of this. There are two modern ways to achieve this: with serverless and with container technology. Serverless requires less infrastructure and networking knowledge, whereas container technology is less vendor-dependent. In this blog, we will explain how container technology can offer a solution.Read more