Before making a new product, software developers ask themselves: What should its screens look like? How fast should it be? Security is often neglected, though. Cyber attacks are on the rise, says the BSI, a German government agency. It records 380,000 new malware variants every day. Big corporations suffer thousands of attacks daily.
Author: Jan Ungruhe Illustration: Alex Freund/thelicensingproject.com
The problem is: 95 percent of successful attacks are due to poorly programmed, poorly maintained or poorly configured software,” said Thomas Tschersich, Head of Internal Security & Cyber Defense at Deutsche Telekom. Yet this problem could be solved by taking security into consideration directly from the outset – “instead of sticking a plaster over the product only once it already has been assembled,” said Tschersich. The technical term for that is: security by design.
Security by design prevents errors from an early stage
If a developer includes security features as a design criterion, system errors can be avoided from the very beginning. “Software engineers then work in a completely different way, since they work their way through specifications. If security isn’t one of the design criteria, they don’t address it,” explained Tschersich. In that case, developers can only hope that everything goes well. “But experience usually shows that the opposite is true.”
Ideally, the issue of security is already a firm part of the idea phase: can the idea even be put into practice with regard to security aspects? What sort of functional security requirements are needed? As a result, the aspect of security is incorporated in the creation of the prototype – and is upheld throughout all production stages. “When the finished product undergoes acceptance testing, it’s waved through without any further ado in the best-case scenario,” said Tschersich.
More than 95 percent reduction of the attack surface
Security expert Tschersich advises companies to stick by seven basic rules. “If you implement these ‘golden rules,’ you reduce the attack area by more than 95 percent.”
Security by design reduces the risk of liability
According to the security expert, a company also reduces its risk of liability using security by design. “In the future, manufacturers can expect to be held liable if they haven’t built in reasonable security from the outset.” If a company cannot furnish proof that it has ensured adequate security, it will soon have “a significant financial problem,” according to Tschersich.
The attack surface can be minimized by deactivating what is superfluous. Deactivated, unneeded software programs and components on IT systems cannot be attacked. As Tschersich noted: “If you only need one front door in the house, you only build one.”
Confidential information and information systems should only be accessible by the persons you wish to communicate with. “If you ensure that only authenticated users or systems can access something, you exclude all unidentified ones with a high degree of probability,” stated Tschersich.
Every input should be checked for permissible characters – in particular special characters – and for its maximum permitted length. One example: when a user orders something on a web portal, only numbers and possibly periods are required in the field for the date of birth. “An attack can be prevented by ignoring everything apart from numbers and periods,” said Tschersich.
After a successful attack on one system, hackers often try to gradually gain access to other systems from there. Systems should therefore be separated from each other. “If the web server, for example, is hacked, the attacker is still far from getting into the database,” noted Tschersich.
Access to data storage, processing and transfer systems does not usually lie fully in the hands of the company itself, such as is the case if cloud services are used. That means it is all the more important to protect confidential information. Tschersich explained, “Even if an attacker hacks a system, he can’t access encrypted data.”
Systems are not protected if their version is not always kept up-to-date. This is the only way to prevent attackers from exploiting known security gaps. New versions often come with mechanisms to plug security gaps that have been identified in predecessor versions, for example.
The security status of systems and their vulnerability to attacks must be continuously reviewed by means of security checks. “Systems are living things and keep on evolving. Moreover, more and more new weaknesses are discovered,” explained Tschersich.
Security needs strategy: When companies move their business processes towards mobility, collaboration or the cloud, going without IT security is unthinkable. But a security concept is not only a challenge – it's also an opportunity.