{"id":10736,"date":"2018-03-13T11:13:22","date_gmt":"2018-03-13T10:13:22","guid":{"rendered":"https:\/\/stage-fp.webenv.pl\/blog\/?p=10736"},"modified":"2023-07-12T13:36:16","modified_gmt":"2023-07-12T11:36:16","slug":"whitepaper-why-is-software-security-so-important","status":"publish","type":"post","link":"https:\/\/www.future-processing.com\/blog\/whitepaper-why-is-software-security-so-important\/","title":{"rendered":"Whitepaper: Why is software security so important?"},"content":{"rendered":"\n<p>In order to stay resilient to these breaches, it is crucial for organisations to take a proactive approach to security and weave it into the fabric of their culture. Secure development must be a part of a new company policy.<\/p>\n\n\n\n<p><strong>Is DevSecOps just another buzzword or rather a necessity? How to increase ROI through software security? Why align security and compliance and how to measure security requirements?<\/strong> You will find answers to these &#8211; and many other important questions \u2013 in our newest whitepaper on software security.<\/p>\n\n\n\n<p><br><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Protecting Your Business<\/h2>\n\n\n\n<p>According to the latest <a href=\"https:\/\/www.broadcom.com\/support\/security-center\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Symantec Internet Security Threat Report<\/a>, in the last 8 years more than 7.1 billion identities were exposed in data breaches.<\/p>\n\n\n\n<p>New classes of attacks, such as ransomware and targeted espionage attacks show new levels of cybercriminal ambition. Additionally to potential financial losses, such attacks have an unquantifiable, negative impact on customer confidence and on brand value.<\/p>\n\n\n\n<p>The new GDPR law will introduce a great challenge for all organisations that process personal data. Building the software with security-in-mind approach (which includes regular testing, vulnerability assessment and penetration testing &#8211; both using automated tools, and as an expert-driven manual process) allows organisations to go beyond today\u2019s compliance requirements, enabling them to be proactive and forward-thinking.<\/p>\n\n\n\n<p>The Ponemon Cost of Data Breach Study shows that the global average cost of data breach is $3.62 million. The average cost for each lost or stolen records containing sensitive and confidential information was measured as $141 in the study.<\/p>\n\n\n\n<p>The report includes data from 419 companies in 13 countries or regions. It also states that the cost of a data breach depends on the industry, indicating healthcare organisations and financial services leaks as the most costly.<\/p>\n\n\n\n<p>Businesses operating in these industries should ensure that they have a proper security programme in place. The predictions are that the threats are set to worsen. Adoption of new technologies (IoT, Cloud Computing, mobile devices) expands the threat landscape. <\/p>\n\n\n\n<p>New bugs and vulnerabilities are discovered every day. And most of the websites serving malicious content were once legitimate websites that have been compromised by attackers.<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><tbody><tr><td>BREACHES<\/td><td>2014<\/td><td>2015<\/td><td>2016<\/td><\/tr><tr><td>TOTAL BREACHES<\/td><td>1,523<\/td><td>1,211<\/td><td>1,209<\/td><\/tr><tr><td>BREACHES WITH MORE THAN 10 MILION IDENTITIES EXPOSED<\/td><td>11<\/td><td>13<\/td><td>15<\/td><\/tr><tr><td>TOTAL IDENTITIES EXPOSED<\/td><td>1,2B<\/td><td>564M<\/td><td>1,1B<\/td><\/tr><tr><td>AVERAGE IDENTITIES EXPOSED PER BREACH<\/td><td>805K<\/td><td>466K<\/td><td>927K<\/td><\/tr><\/tbody><\/table><figcaption class=\"wp-element-caption\">Source: 2017 Internet Security Threat Report https:\/\/www.symantec.com\/security-center\/threat-report<br><\/figcaption><\/figure>\n\n\n\n<p><br><\/p>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Secure Development Must Be Part of Company Culture<\/h2>\n\n\n\n<p>Development lifecycle is a process which guides developers on how to build software. It usually contains the following phases:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Training<\/li>\n\n\n\n<li>Requirements<\/li>\n\n\n\n<li>Design<\/li>\n\n\n\n<li>Implementation<\/li>\n\n\n\n<li>Verification<\/li>\n\n\n\n<li>Release<\/li>\n\n\n\n<li>Response<\/li>\n<\/ul>\n\n\n\n<p>Secure Development Lifecycle extends regular develop &#8211; ment by adding activities on top of the existing process. It ensures that security is not only considered during the testing phase, but remains a continuous concern. Correctly implemented Secure Development Lifecycle allows to build more secure software, helps in address &#8211; ing compliance requirements and reduces the total cost of development.<\/p>\n\n\n\n<p>While process implementations might vary in detail, the core is common \u2013 \u201cshifting left\u201d, where practices and secure principles are applied in a holistic manner to the whole development process.<\/p>\n\n\n    <div class=\"o-icon-box__wrapper\">\n        <div class=\"o-icon-box o-icon-box--big o-icon-box--italics m-cool-gray-light\">\n            <div class=\"o-icon-box__text f-headline-extra-big\">\n                Any of these processes can be used in your organisation to decrease the number of risks connected with software development. The choice should be based on current development processes and organisational culture.            <\/div>\n        <\/div>\n    <\/div>\n\n\n\n<p>Three steps are required for successful implementation of the process. Firstly, developers, managers and IT pol &#8211; icy makers must identify which requirements for security are based on data processed by the application. As a&nbsp;second step, the organisation must assess the current state of security in the software development process. This allows to identify gaps and create a proper roadmap for advancing in security maturity level.<\/p>\n\n\n\n<p>There are several publicly available and documented Secure SDLC processes that can be used to ensure security of developed software:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/wiki.owasp.org\/index.php\/OWASP_Secure_Software_Development_Lifecycle_Project\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">OWASP Secure Software Development Lifecycle Project<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/www.nist.gov\/publications\/system-development-life-cycle-sdlc\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">NIST System Development Life Cycle<\/a> (SP 800-64, Revision 2)<\/li>\n\n\n\n<li><a href=\"https:\/\/learn.microsoft.com\/en-us\/previous-versions\/windows\/desktop\/cc307748(v=msdn.10)?redirectedfrom=MSDN\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Microsoft Secure Development Lifecycle 5.2<\/a> (and SDL for Agile)<\/li>\n\n\n\n<li><a href=\"https:\/\/www.synopsys.com\/software-integrity\/software-security-services\/bsimm-maturity-model.html\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">BSIMM<\/a> (Building Security In Maturity Mode)<\/li>\n<\/ul>\n\n\n\n<p><br><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Microsoft Secure Development Lifecycle<\/h2>\n\n\n\n<p><strong>Microsoft SDL<\/strong> is a secure development process that was started by Microsoft\u2019s Trustworthy Computing team,<br>as a response to Bill Gates\u2019 memo sent to all Microsoft employees in 2002. It called for the following fundamental security features to be present in computer systems:<\/p>\n\n\n    <div class=\"b-image js-lightbox\">\n        <figure class=\"b-image__figure\">\n            <a\n                href=\"Microsoft-SDL.jpg\"\n                class=\"js-lightbox__trigger\"\n                aria-haspopup=\"dialog\"\n                data-elementor-open-lightbox=\"no\"\n            >\n                <img fetchpriority=\"high\" decoding=\"async\" width=\"960\" height=\"1076\" src=\"https:\/\/www.future-processing.com\/blog\/wp-content\/uploads\/2018\/03\/Microsoft-SDL.jpg\" class=\"attachment-full size-full\" alt=\"\" srcset=\"https:\/\/www.future-processing.com\/blog\/wp-content\/uploads\/2018\/03\/Microsoft-SDL.jpg 960w, https:\/\/www.future-processing.com\/blog\/wp-content\/uploads\/2018\/03\/Microsoft-SDL-268x300.jpg 268w, https:\/\/www.future-processing.com\/blog\/wp-content\/uploads\/2018\/03\/Microsoft-SDL-914x1024.jpg 914w, https:\/\/www.future-processing.com\/blog\/wp-content\/uploads\/2018\/03\/Microsoft-SDL-768x861.jpg 768w, https:\/\/www.future-processing.com\/blog\/wp-content\/uploads\/2018\/03\/Microsoft-SDL-357x400.jpg 357w\" sizes=\"(max-width: 960px) 100vw, 960px\" \/>            <\/a>\n                    <\/figure>\n        <div\n    class=\"js-lightbox__dialog o-lightbox\"\n    role=\"dialog\"\n    aria-modal=\"true\"\n    aria-hidden=\"true\"\n    tabindex=\"-1\"\n>\n    <div class=\"o-lightbox__dialog\">\n        <div class=\"o-lightbox__content js-lightbox__content\" role=\"document\">\n            <button\n                class=\"o-button o-button--xs o-button--dark o-button--icon-right o-button--tertiary o-lightbox__close js-lightbox__close m-gradient-brand\"\n            >\n                Close picture                <svg class='o-icon o-icon--16 o-icon--timescircle '>\n            <use xlink:href='#icon-16_times-circle'><\/use>\n          <\/svg>            <\/button>\n                                            <figure class=\"o-lightbox__image is-active\">\n                    <img fetchpriority=\"high\" decoding=\"async\" width=\"960\" height=\"1076\" src=\"https:\/\/www.future-processing.com\/blog\/wp-content\/uploads\/2018\/03\/Microsoft-SDL.jpg\" class=\"attachment-full size-full\" alt=\"\" srcset=\"https:\/\/www.future-processing.com\/blog\/wp-content\/uploads\/2018\/03\/Microsoft-SDL.jpg 960w, https:\/\/www.future-processing.com\/blog\/wp-content\/uploads\/2018\/03\/Microsoft-SDL-268x300.jpg 268w, https:\/\/www.future-processing.com\/blog\/wp-content\/uploads\/2018\/03\/Microsoft-SDL-914x1024.jpg 914w, https:\/\/www.future-processing.com\/blog\/wp-content\/uploads\/2018\/03\/Microsoft-SDL-768x861.jpg 768w, https:\/\/www.future-processing.com\/blog\/wp-content\/uploads\/2018\/03\/Microsoft-SDL-357x400.jpg 357w\" sizes=\"(max-width: 960px) 100vw, 960px\" \/>                                    <\/figure>\n                    <\/div>\n    <\/div>\n<\/div>\n    <\/div>\n\n\n\n<p><\/p>\n\n\n\n<p>Since 2004, the process has been mandatory for all Microsoft products and it is being constantly improved, accepted and adapted industrywide.<\/p>\n\n\n\n<p>The Microsoft SDL process is well-documented, with step[1]by-step instructions to be used by a development team to increase the level of security. A set of training presentations, tools and guides are provided.<\/p>\n\n\n\n<p><br><\/p>\n\n\n    <div class=\"b-image js-lightbox\">\n        <figure class=\"b-image__figure\">\n            <a\n                href=\"development_lifecycle_process.jpg\"\n                class=\"js-lightbox__trigger\"\n                aria-haspopup=\"dialog\"\n                data-elementor-open-lightbox=\"no\"\n            >\n                <img decoding=\"async\" width=\"960\" height=\"1272\" src=\"https:\/\/www.future-processing.com\/blog\/wp-content\/uploads\/2018\/03\/development_lifecycle_process.jpg\" class=\"attachment-full size-full\" alt=\"\" srcset=\"https:\/\/www.future-processing.com\/blog\/wp-content\/uploads\/2018\/03\/development_lifecycle_process.jpg 960w, https:\/\/www.future-processing.com\/blog\/wp-content\/uploads\/2018\/03\/development_lifecycle_process-226x300.jpg 226w, https:\/\/www.future-processing.com\/blog\/wp-content\/uploads\/2018\/03\/development_lifecycle_process-773x1024.jpg 773w, https:\/\/www.future-processing.com\/blog\/wp-content\/uploads\/2018\/03\/development_lifecycle_process-768x1018.jpg 768w, https:\/\/www.future-processing.com\/blog\/wp-content\/uploads\/2018\/03\/development_lifecycle_process-302x400.jpg 302w\" sizes=\"(max-width: 960px) 100vw, 960px\" \/>            <\/a>\n                    <\/figure>\n        <div\n    class=\"js-lightbox__dialog o-lightbox\"\n    role=\"dialog\"\n    aria-modal=\"true\"\n    aria-hidden=\"true\"\n    tabindex=\"-1\"\n>\n    <div class=\"o-lightbox__dialog\">\n        <div class=\"o-lightbox__content js-lightbox__content\" role=\"document\">\n            <button\n                class=\"o-button o-button--xs o-button--dark o-button--icon-right o-button--tertiary o-lightbox__close js-lightbox__close m-gradient-brand\"\n            >\n                Close picture                <svg class='o-icon o-icon--16 o-icon--timescircle '>\n            <use xlink:href='#icon-16_times-circle'><\/use>\n          <\/svg>            <\/button>\n                                            <figure class=\"o-lightbox__image is-active\">\n                    <img decoding=\"async\" width=\"960\" height=\"1272\" src=\"https:\/\/www.future-processing.com\/blog\/wp-content\/uploads\/2018\/03\/development_lifecycle_process.jpg\" class=\"attachment-full size-full\" alt=\"\" srcset=\"https:\/\/www.future-processing.com\/blog\/wp-content\/uploads\/2018\/03\/development_lifecycle_process.jpg 960w, https:\/\/www.future-processing.com\/blog\/wp-content\/uploads\/2018\/03\/development_lifecycle_process-226x300.jpg 226w, https:\/\/www.future-processing.com\/blog\/wp-content\/uploads\/2018\/03\/development_lifecycle_process-773x1024.jpg 773w, https:\/\/www.future-processing.com\/blog\/wp-content\/uploads\/2018\/03\/development_lifecycle_process-768x1018.jpg 768w, https:\/\/www.future-processing.com\/blog\/wp-content\/uploads\/2018\/03\/development_lifecycle_process-302x400.jpg 302w\" sizes=\"(max-width: 960px) 100vw, 960px\" \/>                                    <\/figure>\n                    <\/div>\n    <\/div>\n<\/div>\n    <\/div>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Better ROI<\/h2>\n\n\n\n<p>The National Institute of Standards and Technology (NIST) claims that code fixes done during the design and implementation phase can be 30 times less expensive than the ones performed after the release.<\/p>\n\n\n\n<p>This way security development lifecycle can help to reduce the total cost of development. The amount of time spent on post-development bug remediation, incident response and customer service also decreases.<\/p>\n\n\n    <div class=\"b-image js-lightbox\">\n        <figure class=\"b-image__figure\">\n            <a\n                href=\"better_ROI.jpg\"\n                class=\"js-lightbox__trigger\"\n                aria-haspopup=\"dialog\"\n                data-elementor-open-lightbox=\"no\"\n            >\n                <img decoding=\"async\" width=\"960\" height=\"574\" src=\"https:\/\/www.future-processing.com\/blog\/wp-content\/uploads\/2018\/03\/better_ROI.jpg\" class=\"attachment-full size-full\" alt=\"\" srcset=\"https:\/\/www.future-processing.com\/blog\/wp-content\/uploads\/2018\/03\/better_ROI.jpg 960w, https:\/\/www.future-processing.com\/blog\/wp-content\/uploads\/2018\/03\/better_ROI-300x179.jpg 300w, https:\/\/www.future-processing.com\/blog\/wp-content\/uploads\/2018\/03\/better_ROI-768x459.jpg 768w, https:\/\/www.future-processing.com\/blog\/wp-content\/uploads\/2018\/03\/better_ROI-669x400.jpg 669w\" sizes=\"(max-width: 960px) 100vw, 960px\" \/>            <\/a>\n                    <\/figure>\n        <div\n    class=\"js-lightbox__dialog o-lightbox\"\n    role=\"dialog\"\n    aria-modal=\"true\"\n    aria-hidden=\"true\"\n    tabindex=\"-1\"\n>\n    <div class=\"o-lightbox__dialog\">\n        <div class=\"o-lightbox__content js-lightbox__content\" role=\"document\">\n            <button\n                class=\"o-button o-button--xs o-button--dark o-button--icon-right o-button--tertiary o-lightbox__close js-lightbox__close m-gradient-brand\"\n            >\n                Close picture                <svg class='o-icon o-icon--16 o-icon--timescircle '>\n            <use xlink:href='#icon-16_times-circle'><\/use>\n          <\/svg>            <\/button>\n                                            <figure class=\"o-lightbox__image is-active\">\n                    <img decoding=\"async\" width=\"960\" height=\"574\" src=\"https:\/\/www.future-processing.com\/blog\/wp-content\/uploads\/2018\/03\/better_ROI.jpg\" class=\"attachment-full size-full\" alt=\"\" srcset=\"https:\/\/www.future-processing.com\/blog\/wp-content\/uploads\/2018\/03\/better_ROI.jpg 960w, https:\/\/www.future-processing.com\/blog\/wp-content\/uploads\/2018\/03\/better_ROI-300x179.jpg 300w, https:\/\/www.future-processing.com\/blog\/wp-content\/uploads\/2018\/03\/better_ROI-768x459.jpg 768w, https:\/\/www.future-processing.com\/blog\/wp-content\/uploads\/2018\/03\/better_ROI-669x400.jpg 669w\" sizes=\"(max-width: 960px) 100vw, 960px\" \/>                                    <\/figure>\n                    <\/div>\n    <\/div>\n<\/div>\n    <\/div>\n\n\n\n<p>SANS Institute states that including security aspects in the requirements for software and cloud services not only efficiently reduces attack surfaces, but has also been proven to reduce time to market for secure business services.<\/p>\n\n\n\n<p><br><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">SDL for Agile<\/h2>\n\n\n\n<p>SDL for Agile is a way to integrate the security related activities into the Agile development process, which is based on fast and frequent delivery. This approach requires ensuring that security practices do not interfere with delivery cycle and, at the same time, makes sure that no crucial practices are missing. The practices are divided in three categories:<\/p>\n\n\n\n<p><br><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Every sprint practices<\/h3>\n\n\n\n<p>Essential security practices that should be performed in every release. Some examples include:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Threat modeling,<\/li>\n\n\n\n<li>Running static code analysis tools, and<\/li>\n\n\n\n<li>Ensuring that defensive coding techniques are used, e.g.: ensuring all database access is performed through parameterised queries to stored procedures, mitigating against cross-site scripting (XSS), using safe redirect u Using secure cookie over HTTPS.<\/li>\n<\/ul>\n\n\n\n<p><br><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Bucket practices<\/h3>\n\n\n\n<p>Important security practices that must be completed on a regular basis but can be spread across multiple sprints during the project lifetime. Examples include:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Conducting a security review,<\/li>\n\n\n\n<li>Creation of privacy-related documents,<\/li>\n\n\n\n<li>Fuzz testing,<\/li>\n\n\n\n<li>Attack surface analysis, and<\/li>\n\n\n\n<li>Data flow and input validation testing.<\/li>\n<\/ul>\n\n\n    <div class=\"o-icon-box__wrapper\">\n        <div class=\"o-icon-box o-icon-box--big o-icon-box--italics m-cool-gray-light\">\n            <div class=\"o-icon-box__text f-headline-extra-big\">\n                To ensure that tasks are part of team effort, technical user stories are added for SDL requirements and included \r\nin project backlog. This allows them to be estimated, planned and delivered as part of the iterative delivery cycle            <\/div>\n        <\/div>\n    <\/div>\n\n\n\n<p><\/p>\n\n\n\n<p><br><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">DevSecOps \u2013 buzzowrd or necessity?<\/h2>\n\n\n\n<p>DevSecOps is a concept which connects traditional DevOps and Security engineers. It accepts the fact that the responsibility for secure development lays not only on a limited number of security engineers, but on the whole development teams. It puts the focus on introducing automation of security activities.<\/p>\n\n\n\n<p>DevSecOps is a list of t of rules defined to make your security effort work for your project, not against it:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Leaning in over Always Saying \u2018No\u2019,<\/li>\n\n\n\n<li>Data &amp; Security Science over Fear, Uncertainty and Doubt,<\/li>\n\n\n\n<li>Open Contribution &amp; Collaboration over Security-Only Requirements,<\/li>\n\n\n\n<li>Consumable Security Services with APIs over Mandated Security Controls &amp; Paperwork,<\/li>\n\n\n\n<li>Business Driven Security Scores over Rubber Stamp Security,<\/li>\n\n\n\n<li>Red &amp; Blue Team Exploit Testing over Relying on Scans &amp; Theoretical Vulnerabilities,<\/li>\n\n\n\n<li>24&#215;7 Proactive Security Monitoring over Reacting after being Informed of an Incident,<\/li>\n\n\n\n<li>Shared Threat Intelligence over Keeping Info to&nbsp;Ourselves, and<\/li>\n\n\n\n<li>Compliance Operations over Clipboards &amp;&nbsp;Checklists.<\/li>\n<\/ul>\n\n\n\n<p>This includes incorporating the following into Continuous Integration and integrated development environments (IDEs):<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Static code analysis (which should include security-related rules),<\/li>\n\n\n\n<li>Dynamic testing (using scanners)<\/li>\n\n\n\n<li>Automation of security requirement checks<\/li>\n\n\n\n<li>Planning and implementing security features (Security as a Code)<\/li>\n\n\n\n<li>Ensuring secure deployments (Infrastructure as a Code)<\/li>\n<\/ul>\n\n\n\n<p>Another important part of SecDevOps responsibilities is introducing best practices and developing security culture.<\/p>\n\n\n\n<p><br><\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><br>Measuring and Enforcing Security Requirements is part of the process<\/h2>\n\n\n\n<p><strong>Capturing security requirements<\/strong> for your project before actual development has been commenced pro[1]vides many advantages, e.g.:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Gives better understanding of application security risks and possible remediation to management, development team and Business Analysts,<\/li>\n\n\n\n<li>Makes you compliant \u2013 when done right, security requirements are based on privacy analysis and compliance requirements that apply to data stored and processed by the system,<\/li>\n\n\n\n<li>Makes security work anticipated, planned and cost-bound \u2013 adding security non-fictional requirements as Acceptance Criteria for User Stories makes them easy to use during estimation, development, and ensures easy mapping between requirements and controls applied during development process,<\/li>\n\n\n\n<li>Makes them testable \u2013 once you define a&nbsp;requirement, it can be included in the test activities, and<\/li>\n\n\n\n<li>Improves transparency of contract with the supplier \u2013 when using a third party for software development, agreeing on a detailed list of requirements will ensure a common view on what a secure application is.<\/li>\n<\/ul>\n\n\n\n<p><br><strong>OWASP Application Security Verification Standard<\/strong> is&nbsp; a&nbsp;well-established framework that can be used to build a&nbsp;set of actionable and measurable security requirements. ASVS 3.0.1 requirements cover the following features of a system:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>V1.Architecture, design and threat modeling<\/li>\n\n\n\n<li>V2. Authentication<\/li>\n\n\n\n<li>V3. Session management<\/li>\n\n\n\n<li>V4. Access control<\/li>\n\n\n\n<li>V5. Malicious input handling<\/li>\n\n\n\n<li>V7. Cryptography at rest<\/li>\n\n\n\n<li>V8. Error handling and logging<\/li>\n\n\n\n<li>V9. Data protection<\/li>\n\n\n\n<li>V10. Communications<\/li>\n\n\n\n<li>V11. HTTP security configuration<\/li>\n\n\n\n<li>V13. Malicious controls<\/li>\n\n\n\n<li>V15. Business logic<\/li>\n\n\n\n<li>V16. File and resources<\/li>\n\n\n\n<li>V17. Mobile u V18. Web services (NEW for 3.0)<\/li>\n\n\n\n<li>V19. Configuration (NEW for 3.0)<\/li>\n<\/ul>\n\n\n\n<p><br><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Requirements are grouped into three security verification levels:<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>ASVS Level 1 contains a basic list that can be applied to all applications,<\/li>\n\n\n\n<li>ASVS Level 2 should be used for applications containing assets which require protection,<\/li>\n\n\n\n<li>ASVS Level 3 is for the most critical systems \u2013 medical equipment, applications containing valuable, intellectual property or processing a vast amount of financial transactions.<\/li>\n<\/ul>\n\n\n    <div class=\"b-image js-lightbox\">\n        <figure class=\"b-image__figure\">\n            <a\n                href=\"security_verification.jpg\"\n                class=\"js-lightbox__trigger\"\n                aria-haspopup=\"dialog\"\n                data-elementor-open-lightbox=\"no\"\n            >\n                <img loading=\"lazy\" decoding=\"async\" width=\"960\" height=\"1576\" src=\"https:\/\/www.future-processing.com\/blog\/wp-content\/uploads\/2018\/03\/security_verification.jpg\" class=\"attachment-full size-full\" alt=\"\" srcset=\"https:\/\/www.future-processing.com\/blog\/wp-content\/uploads\/2018\/03\/security_verification.jpg 960w, https:\/\/www.future-processing.com\/blog\/wp-content\/uploads\/2018\/03\/security_verification-183x300.jpg 183w, https:\/\/www.future-processing.com\/blog\/wp-content\/uploads\/2018\/03\/security_verification-624x1024.jpg 624w, https:\/\/www.future-processing.com\/blog\/wp-content\/uploads\/2018\/03\/security_verification-768x1261.jpg 768w, https:\/\/www.future-processing.com\/blog\/wp-content\/uploads\/2018\/03\/security_verification-936x1536.jpg 936w, https:\/\/www.future-processing.com\/blog\/wp-content\/uploads\/2018\/03\/security_verification-244x400.jpg 244w\" sizes=\"(max-width: 960px) 100vw, 960px\" \/>            <\/a>\n                    <\/figure>\n        <div\n    class=\"js-lightbox__dialog o-lightbox\"\n    role=\"dialog\"\n    aria-modal=\"true\"\n    aria-hidden=\"true\"\n    tabindex=\"-1\"\n>\n    <div class=\"o-lightbox__dialog\">\n        <div class=\"o-lightbox__content js-lightbox__content\" role=\"document\">\n            <button\n                class=\"o-button o-button--xs o-button--dark o-button--icon-right o-button--tertiary o-lightbox__close js-lightbox__close m-gradient-brand\"\n            >\n                Close picture                <svg class='o-icon o-icon--16 o-icon--timescircle '>\n            <use xlink:href='#icon-16_times-circle'><\/use>\n          <\/svg>            <\/button>\n                                            <figure class=\"o-lightbox__image is-active\">\n                    <img loading=\"lazy\" decoding=\"async\" width=\"960\" height=\"1576\" src=\"https:\/\/www.future-processing.com\/blog\/wp-content\/uploads\/2018\/03\/security_verification.jpg\" class=\"attachment-full size-full\" alt=\"\" srcset=\"https:\/\/www.future-processing.com\/blog\/wp-content\/uploads\/2018\/03\/security_verification.jpg 960w, https:\/\/www.future-processing.com\/blog\/wp-content\/uploads\/2018\/03\/security_verification-183x300.jpg 183w, https:\/\/www.future-processing.com\/blog\/wp-content\/uploads\/2018\/03\/security_verification-624x1024.jpg 624w, https:\/\/www.future-processing.com\/blog\/wp-content\/uploads\/2018\/03\/security_verification-768x1261.jpg 768w, https:\/\/www.future-processing.com\/blog\/wp-content\/uploads\/2018\/03\/security_verification-936x1536.jpg 936w, https:\/\/www.future-processing.com\/blog\/wp-content\/uploads\/2018\/03\/security_verification-244x400.jpg 244w\" sizes=\"(max-width: 960px) 100vw, 960px\" \/>                                    <\/figure>\n                    <\/div>\n    <\/div>\n<\/div>\n    <\/div>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Security and compliance should be aligned<\/h2>\n\n\n\n<p>Systems used to process sensitive data (medical data, credit cards, Personally Identifiable Information) need to comply with complex regulations and laws related to system security.<\/p>\n\n\n\n<p>Standards such as General Data Protection Regulation (GDPR), Payment Card Industry Data Security Standard (PCI DSS), Health Insurance Portability and Accountability Act (HIPAA) or ISO\/IEC 27001 Information Security not only require you to protect the data, but also introduce financial fines for the lack of proper security controls.<\/p>\n\n\n\n<p>Standards recommend to regularly test applications and infrastructure for vulnerabilities. This can be done by penetration testing and vulnerability scanning. Penetration testing, when performed by a skilled and experienced individual, tests real-world risks to the business and verifies the actual state of system security. It will uncover problems that would not be found by automated tools.<\/p>\n\n\n\n<p><br><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">PCI DSS<\/h3>\n\n\n\n<p><strong><a href=\"https:\/\/www.pcisecuritystandards.org\/about_us\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">PCI DSS<\/a><\/strong> requires to fulfil the following goals through penetration testing: \u2019determine whether and how a malicious user can gain unauthorised access to assets that affect the fundamental security of the system, files, logs and\/or cardholder data. Confirm that the applicable controls, such as scope, vulnerability management, methodology, and segmentation, required in PCI DSS are in place.\u2019<\/p>\n\n\n\n<p><br><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">ISO 27001<\/h3>\n\n\n\n<p><strong><a href=\"https:\/\/www.iso27001security.com\/html\/27002.html\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">ISO 27001<\/a><\/strong> security control objective A12.6 (Technical Vulnerability Management) states that \u2018information about technical vulnerabilities of information systems being used shall be obtained in a timely fashion, the organisation\u2019s exposure to such vulnerabilities evaluated and appropriate measures taken to address the associated risk.\u2019<\/p>\n\n\n\n<p><br><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">GDPR<\/h3>\n\n\n\n<p><strong><a href=\"https:\/\/eur-lex.europa.eu\/legal-content\/EN\/TXT\/?uri=CELEX%3A32016R0679\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">GDPR<\/a><\/strong> requires to ensure that security measures of systems used to store and process Personal Data (any information about an identified or identifiable individual) are regularly tested.<\/p>\n\n\n\n<p><br><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">NIST guide for implementing the HIPAA<\/h3>\n\n\n\n<p><strong><a href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-66\/rev-1\/final\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">NIST guide for implementing the HIPAA<\/a><\/strong> recommends to conduct penetration testing (where trusted insiders attempt to compromise system security for the sole purpose of testing the effectiveness of security controls), if reasonable and appropriate\u2019.<\/p>\n\n\n    <div class=\"b-image js-lightbox\">\n        <figure class=\"b-image__figure\">\n            <a\n                href=\"Security_development_lifecycle.jpg\"\n                class=\"js-lightbox__trigger\"\n                aria-haspopup=\"dialog\"\n                data-elementor-open-lightbox=\"no\"\n            >\n                <img loading=\"lazy\" decoding=\"async\" width=\"960\" height=\"1014\" src=\"https:\/\/www.future-processing.com\/blog\/wp-content\/uploads\/2018\/03\/Security_development_lifecycle.jpg\" class=\"attachment-full size-full\" alt=\"Security development lifecycle\" srcset=\"https:\/\/www.future-processing.com\/blog\/wp-content\/uploads\/2018\/03\/Security_development_lifecycle.jpg 960w, https:\/\/www.future-processing.com\/blog\/wp-content\/uploads\/2018\/03\/Security_development_lifecycle-284x300.jpg 284w, https:\/\/www.future-processing.com\/blog\/wp-content\/uploads\/2018\/03\/Security_development_lifecycle-768x811.jpg 768w, https:\/\/www.future-processing.com\/blog\/wp-content\/uploads\/2018\/03\/Security_development_lifecycle-379x400.jpg 379w, https:\/\/www.future-processing.com\/blog\/wp-content\/uploads\/2018\/03\/Security_development_lifecycle-24x24.jpg 24w\" sizes=\"(max-width: 960px) 100vw, 960px\" \/>            <\/a>\n                    <\/figure>\n        <div\n    class=\"js-lightbox__dialog o-lightbox\"\n    role=\"dialog\"\n    aria-modal=\"true\"\n    aria-hidden=\"true\"\n    tabindex=\"-1\"\n>\n    <div class=\"o-lightbox__dialog\">\n        <div class=\"o-lightbox__content js-lightbox__content\" role=\"document\">\n            <button\n                class=\"o-button o-button--xs o-button--dark o-button--icon-right o-button--tertiary o-lightbox__close js-lightbox__close m-gradient-brand\"\n            >\n                Close picture                <svg class='o-icon o-icon--16 o-icon--timescircle '>\n            <use xlink:href='#icon-16_times-circle'><\/use>\n          <\/svg>            <\/button>\n                                            <figure class=\"o-lightbox__image is-active\">\n                    <img loading=\"lazy\" decoding=\"async\" width=\"960\" height=\"1014\" src=\"https:\/\/www.future-processing.com\/blog\/wp-content\/uploads\/2018\/03\/Security_development_lifecycle.jpg\" class=\"attachment-full size-full\" alt=\"Security development lifecycle\" srcset=\"https:\/\/www.future-processing.com\/blog\/wp-content\/uploads\/2018\/03\/Security_development_lifecycle.jpg 960w, https:\/\/www.future-processing.com\/blog\/wp-content\/uploads\/2018\/03\/Security_development_lifecycle-284x300.jpg 284w, https:\/\/www.future-processing.com\/blog\/wp-content\/uploads\/2018\/03\/Security_development_lifecycle-768x811.jpg 768w, https:\/\/www.future-processing.com\/blog\/wp-content\/uploads\/2018\/03\/Security_development_lifecycle-379x400.jpg 379w, https:\/\/www.future-processing.com\/blog\/wp-content\/uploads\/2018\/03\/Security_development_lifecycle-24x24.jpg 24w\" sizes=\"(max-width: 960px) 100vw, 960px\" \/>                                    <\/figure>\n                    <\/div>\n    <\/div>\n<\/div>\n    <\/div>\n\n\n\n<p>We hope this article has helped you understand the importance of security in software development.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Did you know that according to the 2017 Internet Security Threat Report, over 7.1 billion identities have been exposed in data breaches in the last 8 years?<\/p>\n","protected":false},"author":113,"featured_media":12854,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[2110],"tags":[7,1064],"coauthors":[1727],"class_list":["post-10736","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security","tag-security-2","tag-security-threats"],"acf":{"reading-time":"10 min","show-toc-sublists":false,"image":null,"logo":null,"button1":{"button1_type":"","button":null},"button2":{"button2_type":"","button":null},"person":{"person_photo":null,"person_name":"","person_position":""}},"_links":{"self":[{"href":"https:\/\/www.future-processing.com\/blog\/wp-json\/wp\/v2\/posts\/10736","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.future-processing.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.future-processing.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.future-processing.com\/blog\/wp-json\/wp\/v2\/users\/113"}],"replies":[{"embeddable":true,"href":"https:\/\/www.future-processing.com\/blog\/wp-json\/wp\/v2\/comments?post=10736"}],"version-history":[{"count":0,"href":"https:\/\/www.future-processing.com\/blog\/wp-json\/wp\/v2\/posts\/10736\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.future-processing.com\/blog\/wp-json\/wp\/v2\/media\/12854"}],"wp:attachment":[{"href":"https:\/\/www.future-processing.com\/blog\/wp-json\/wp\/v2\/media?parent=10736"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.future-processing.com\/blog\/wp-json\/wp\/v2\/categories?post=10736"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.future-processing.com\/blog\/wp-json\/wp\/v2\/tags?post=10736"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.future-processing.com\/blog\/wp-json\/wp\/v2\/coauthors?post=10736"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}