Developing Secure Systems
Sinara has been developing leading financial solutions for over 25 years, and throughout that time, the need to develop secure systems has been a constant. While requirements and technologies change over time, the financial sector has always recognised the importance of client confidentiality and information security, and cybersecurity concerns have been increasingly scrutinised in the public sphere in recent years. This increase in attention is well justified, given the many public high profile security breaches, which can cost companies tens of millions, if not hundreds of millions, of dollars.
Understanding the fundamentals of information security and ensuring they are constantly implemented is the key to creating secure systems. Developers require an approach which reduces the risk and impact of a breach, without compromising functionality or performance. The optimal strategy is one of continuous risk management and review. Introduction of regulatory standards, such as the Payment Card Industry Data Security Standard (PCIDSS), and more generic ones, such as IEC 27001 and the NIST framework, have helped to improve the risk management process; however, such standards are irrelevant if they are not correctly and continuously implemented throughout the software development life cycle.
At Sinara, therefore, the security of new systems is considered long before any code is written. In the early stages of a new project, while analysing requirements and drawing up a specification, we take care to note any particular security concerns when identifying the non-functional requirements of the system. At the design stage, too, security is a key consideration, which often defines principles to be followed during the implementation; for example, the designs for new Sinara web applications always include a section addressing common risks such as the OWASP Top Ten, and how the application is expected to avoid them.
During the later stages of a project, code for the system undergoes a security review by Sinara staff, distinct from standard forms of code review, to ensure that information security continues to be given due attention. During a security review, developers perform a variety of both automated and manual checks. These checks cross-reference client infosec policies, regulatory standards, and industry best-practices such as those recommended by OWASP. Security reviews include verification that all points of entry to an application are restricted according to relevant user permissions, and that all user input is validated to prevent potential injection attacks.
The rapid increase in application complexity over recent years has only emphasised the importance of a formal security review process. An increasing focus on better access to applications over the Internet (and from mobile devices), and the potential of cloud computing make it much more challenging to define a defence ‘perimeter’ for each application, and to identify and assess all entry points. Sinara handles this rise in complexity by maintaining thorough approval processes; for example, all third party libraries are subject to a strict review and approval before being used in our systems.
To speed up security reviews, and reduce the risk of human error in entry point assessment, Sinara have developed a custom static code analysis tool for our web applications, which scans code for points of entry and produces a report detailing the function level access granted to each user group; this report is then checked against the original specification to ensure the access rights match requirements.
In order to identify potential vulnerabilities and quantify their risk, developers need a good understanding of an application at both code level and whole-system level. Practices such as security technique seminars and detailed system/application orientation sessions mean Sinara developers are better placed to examine client queries about potentially malicious user behaviour, and to hone their security-focused development and code review skills.
We always recommend that the testing phase of any systems we produce should include a full penetration test, where testers attempt to “break” the security of the system using a variety of manual and automated known attacks. We have also in the past worked with the third party security firm VeraCode, who analyse and verify code from a security perspective, to provide additional confidence in the end product.
Overall, the combination of rigorous risk management processes during development, tools to combat the rise in application complexity, and appropriate staff training has allowed Sinara to maintain a security oriented approach to development (from design through to deployment) which assures clients that Sinara systems are developed to a professionally secure standard.