The Secure Software Habit

It requires intention create software with the trust of the user in mind. That trust is built from designing software which prioritizes the three key tenants of security – availability, integrity, and confidentiality. There are numerous habits which can be built into the engineering and testing practices to support this goal. Some of these are specific to security, some are not.

We’ll group these activities by the three big parts. The building, testing, and deployment phase.

Building Phase

ActivityDescriptionProCons
Threat ModelActively consider what can possibly go wrong and how should the software respond.Can be done at all aspects of the software and typically all phases.Generally biases prevent looking at certain possible issues. Need to be open minded.
Coding StandardsRules and guidelines for code. These standards can include naming standards, data handling, disallowed functions that will not be called, and others.Provides some degree of consistency within the code bases.Really hard to enforce and can be hard to learn. There needs to be a balance.
Code ReviewsManual reviews of code submitted to be deployed.Peers reviewing submitted code looking for areas of improvement or errors.Subjective based on skill of person performing reviews.
Code Quality ScansAutomated scans that review code for known bad programming practices.Can lead to higher code quality and improved resource management.False positives. Oversimplification.
SAST (Static Analysis Software Testing)Analyzing source code for vulnerabilities.

Faster scans of code looking for known security issues. Can be performed at multiple points in the development process.These are rules engines which can be impacted by code complexity, languages, and framework support. Can be time intensive to run if not properly trained and planned.
Unit TestsTests which are written to verify aspects of a small unit of work.Ensures component reliability.Can be time-consuming to write and maintain.
Integration TestsTesting combined components or systems.Verifies module interaction and interfaces.Complex to set up and execute.
End to End TestingTesting the complete flow of an application from start to end in a production-like environment to ensure overall system performance and behavior.Validates the entire application flow, ensuring all integrated components work together.Can be time-consuming and resource-intensive to set up and execute. Complex scenarios might be challenging to simulate accurately.

Testing Phase:

ActivityDescriptionProCons
Vulnerability TestingIdentifying security vulnerabilities in software.

Highlights specific security weaknesses.

May not cover all potential attack vectors. Does not go deep.
Penetration TestingSimulated cyber attacks to find weaknesses. Typically to go after specific assets.Mimics real-world attack scenarios.Resource-intensive and potentially disruptive. Time bound.
IAST (Interactive Application Security Testing)

Combines static and dynamic analysis methods. Leverages agents or monitors on an application.


Detailed and continuous analysis.

More complex to integrate and manage.
DAST (Dynamic Application Security Testing)

Analyzing running application for vulnerabilities.

Finds runtime issues missed by static analysis.

Can miss issues not exposed during the test. Relies heavily on the crawler and different authentication mechanisms can make this a challenge.

Deployment Phase:

ActivityDescriptionProCons
FirewallMonitors and controls incoming/outgoing network traffic.Protects against unauthorized access.

Can be bypassed; false positives/negatives.

WAF (Web Application Firewall)

Protects web apps by filtering and monitoring HTTP traffic.

Protects against web-based attacks.

Can impact legitimate traffic (false positives).

RASP (Runtime Application Self-Protection)

Protection technology that runs within an application.

Immediate response to threats; less reliance on updates.

Potential performance impact; complexity in management.
Bug BountyEnd to End TestingTesting the complete flow of an application from start to end in a production-like environment to ensure overall system performance and behavior.Validates the entire application flow, ensuring all integrated components work together.

This seems like a great deal of effort and work. It seems like it could also be costly. The truth is, however, some of these are a do the work one time and then update when needed. And the others get easier and faster the more they are done. If work is broken down into small enough pieces, the level of effort can also be managed that way.

Now that we have reviewed the foundations for how to develop software, what security means when it comes to software, and how to improve the quality of software with different mechanisms, it is time to build a real world example.