Developing Secure Systems
Sinara has been developing leading financial solutions for over 25 years, and throughout that time, the need to develop secure systems has been a constant. While requirements and technologies change over time, the financial sector has always recognised the importance of client confidentiality and information security, and cybersecurity concerns have been increasingly scrutinised in the public sphere in recent years. This increase in attention is well justified, given the many public high profile security breaches, which can cost companies tens of millions, if not hundreds of millions, of dollars.
Understanding the fundamentals of information security and ensuring they are constantly implemented is the key to creating secure systems. Developers require an approach which reduces the risk and impact of a breach, without compromising functionality or performance. The optimal strategy is one of continuous risk management and review. Introduction of regulatory standards, such as the Payment Card Industry Data Security Standard (PCIDSS), and more generic ones, such as IEC 27001 and the NIST framework, have helped to improve the risk management process; however, such standards are irrelevant if they are not correctly and continuously implemented throughout the software development life cycle.
At Sinara, therefore, the security of new systems is considered long before any code is written. In the early stages of a new project, while analysing requirements and drawing up a specification, we take care to note any particular security concerns when identifying the non-functional requirements of the system. At the design stage, too, security is a key consideration, which often defines principles to be followed during the implementation; for example, the designs for new Sinara web applications always include a section addressing common risks such as the OWASP Top Ten, and how the application is expected to avoid them.
During the later stages of a project, code for the system undergoes a security review by Sinara staff, distinct from standard forms of code review, to ensure that information security continues to be given due attention. During a security review, developers perform a variety of both automated and manual checks. These checks cross-reference client infosec policies, regulatory standards, and industry best-practices such as those recommended by OWASP. Security reviews include verification that all points of entry to an application are restricted according to relevant user permissions, and that all user input is validated to prevent potential injection attacks.
The rapid increase in application complexity over recent years has only emphasised the importance of a formal security review process. An increasing focus on better access to applications over the Internet (and from mobile devices), and the potential of cloud computing make it much more challenging to define a defence ‘perimeter’ for each application, and to identify and assess all entry points. Sinara handles this rise in complexity by maintaining thorough approval processes; for example, all third party libraries are subject to a strict review and approval before being used in our systems.
To speed up security reviews, and reduce the risk of human error in entry point assessment, Sinara have developed a custom static code analysis tool for our web applications, which scans code for points of entry and produces a report detailing the function level access granted to each user group; this report is then checked against the original specification to ensure the access rights match requirements.
In order to identify potential vulnerabilities and quantify their risk, developers need a good understanding of an application at both code level and whole-system level. Practices such as security technique seminars and detailed system/application orientation sessions mean Sinara developers are better placed to examine client queries about potentially malicious user behaviour, and to hone their security-focused development and code review skills.
We always recommend that the testing phase of any systems we produce should include a full penetration test, where testers attempt to “break” the security of the system using a variety of manual and automated known attacks. We have also in the past worked with the third party security firm VeraCode, who analyse and verify code from a security perspective, to provide additional confidence in the end product.
Overall, the combination of rigorous risk management processes during development, tools to combat the rise in application complexity, and appropriate staff training has allowed Sinara to maintain a security oriented approach to development (from design through to deployment) which assures clients that Sinara systems are developed to a professionally secure standard.
Categories
- OWASP Security Standards for Web ApplicationsMar 23 2022
Posts by Nicole.Williams
- November 2022
- October 2022
- September 2022
- August 2022
- May 2022
- March 2022
- December 2021
- November 2021
- October 2021
- September 2021
- July 2021
- June 2021
- May 2021
- April 2021
- January 2021
- December 2020
- October 2020
- September 2020
- August 2020
- July 2020
- June 2020
- April 2020
- March 2020
- February 2020
- November 2019
- October 2019
- September 2019
- August 2019
- July 2019
- June 2019
- May 2019
- April 2019
- July 2018
- May 2018
- April 2018
- February 2018
- January 2018
- October 2017
- May 2017
- February 2016
- January 2016
- July 2015
- June 2015
- October 2014
- September 2014
- August 2014
- June 2014
- May 2014
Archive
Ready for the next step?
Whether you have detailed requirements for your new business IT solution or wish to discuss your initial thoughts and ideas, contact us to see how Sinara can help. Contact Us.
Based in London, Sinara develop and support business-critical IT systems for exchanges and trading firms, focusing on pre- and post-trade and market data systems. Call or email us to find out how we can help build your new customer solutions or internal IT systems.