* Kelli Ribeiro
In recent years, numerous companies have been target of cyber attacks or were involved in controversies with theft or data leakage and suffered damages such as:
- Changing the content of pages in the web;
- Service interruption;
- leakage of strategic information or data from employees and customers present in databases, file servers and e-mails.
One of the main targets of attacks is the systems web due to the ease of exploiting vulnerabilities and the difficulty of identifying the criminal responsible for the attack.
To maintain the security of software it is necessary to guarantee the confidentiality, integrity and availability of the information resources that support it. Based on this, companies are increasingly looking for alternatives to improve security in their software from the moment they are developed. In this scenario, the concept and process of safe development arises.
Benefits of developing a Secure Code:
- Decrease in the number of incidents;
- Less downtime for maintenance of software;
- Reduce rework costs;
- Meet regulations and legislation and, thus, gain greater market confidence and generate a competitive advantage.
Systems development life cycle (SDLC):
Best practices for developing software require the integration of security at each stage of the software, which helps to detect problems early in development, thereby reducing development costs.
The following phases should be considered:
- Training: acculturate business and technical teams in security matters;
- Requirements: analyze and discuss security requirements:
- Necessary security identification, minimum requirements for any software;
- Privacy;
- Current legislation, internal and external policies;
- Define development experts and information security professionals;
- Data security, minimum acceptable;
- Assessment of security and privacy risks;
- Use testing tools;
- To define quality gates, when the next step advances, this should include security flaws;
- Design: Architect the development of software based on security requirements. The privacy issue must be evaluated by the developers together with the business area;
- Implementation: Specify security tools, checklists, reinforced prohibited functions and perform static analysis, as well as secure coding best practices to help implement a secure design;
- Verification: Test the software, using methods to validate functionality up to information security and privacy requirements
- Launch: Define the incident response plan for software and the respective responsible in each stage duly documented;
- Answer: Execute the Incident Response Plan, which consists of:
- Respond to security defects and work with people who discover security problems in the code.
- Learn from mistakes by analyzing and documenting the cause of defects.
ISO 27001 requirements
ISO 27001 has 16 (sixteen) controls organized in annex A.14. The following controls should be considered for safe development:
- Ensure that information security is an integral part of information systems throughout the life cycle;
- Specifying requirements related to information security should be included in the specifications and requirements;
- Protect systems in Service Transactions - Information involved in transactions must be protected to prevent errors, changes, unauthorized disclosures;
- Implement change control procedures for systems;
- Establish suitable environments for safe development environments, covering the entire life cycle;
- Supervise and monitor outsourced development activities;
- Ensure the protection of data used for testing.
Conclusion
The safe development of software it is a topic of extreme relevance for organizations and is becoming increasingly complex due to the manipulation of an increasing number of information. Ensuring that this data is secure is critical to business success.
THE SAFEWAY can help your organization to implement a safe development methodology through the implementation of the development lifecycle (SDLC) in conjunction with the ISO 27001 controls, used to develop safely and to treat as a process in a systematic and continuous manner maintaining security levels.
