DZone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
Please enter at least three characters to search
Refcards Trend Reports
Events Video Library
Refcards
Trend Reports

Events

View Events Video Library

Zones

Culture and Methodologies Agile Career Development Methodologies Team Management
Data Engineering AI/ML Big Data Data Databases IoT
Software Design and Architecture Cloud Architecture Containers Integration Microservices Performance Security
Coding Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Culture and Methodologies
Agile Career Development Methodologies Team Management
Data Engineering
AI/ML Big Data Data Databases IoT
Software Design and Architecture
Cloud Architecture Containers Integration Microservices Performance Security
Coding
Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance
Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks

Modernize your data layer. Learn how to design cloud-native database architectures to meet the evolving demands of AI and GenAI workloads.

Avoid machine learning mistakes and boost model performance! Discover key ML patterns, anti-patterns, data strategies, and more.

Related

  • Beyond the Obvious: Uncovering the Hidden Challenges in Cybersecurity
  • How to Fix the OWASP Top 10 Vulnerability in Angular 18.1.1v
  • How to Design Software to Reduce Breaches Caused by Human Error
  • Penetration Testing: A Comprehensive Guide

Trending

  • Developers Beware: Slopsquatting and Vibe Coding Can Increase Risk of AI-Powered Attacks
  • AWS to Azure Migration: A Cloudy Journey of Challenges and Triumphs
  • Unlocking AI Coding Assistants: Generate Unit Tests
  • Start Coding With Google Cloud Workstations
  1. DZone
  2. Software Design and Architecture
  3. Security
  4. 8 Practices Software Engineers Should Adopt and Champion for Cybersecurity

8 Practices Software Engineers Should Adopt and Champion for Cybersecurity

Surprisingly, cybersecurity could be as simple as following best practices, which ideally should be integrated into the culture itself. Learn more in this post.

By 
Manish Sinha user avatar
Manish Sinha
·
Sep. 11, 24 · Opinion
Likes (3)
Comment
Save
Tweet
Share
5.1K Views

Join the DZone community and get the full member experience.

Join For Free

The Importance of Cybersecurity

I firmly believe that in today's cybersecurity expectations, software engineers should prioritize the security of their computer systems and internal IT networks. I would consider it to be a mistake to rely heavily on technology due to the simple fact that a lot of risks are non-technical in nature. The Internet can leave businesses vulnerable to data breaches and ransomware attacks that can cause lasting reputational damage. These non-technical risks can indeed be addressed using technical solutions.

These incidents can additionally result in significant financial losses and potential legal issues. In my opinion, implementing strong cybersecurity measures is not just a technical requirement but a critical initiative for any business looking to strengthen its defenses and resilience.

In this article, I would like to make a case that software engineers should stop looking at security as the responsibility of security engineers, but instead accept it as their responsibility. You do not need to be an engineering manager or a director to propose and implement best practices. Software engineers should use the power of persuasion, data, and showcase return on investment to gently nudge their organization in this direction.

Major Cybersecurity Incidents

Equifax Data Breach

This is probably the breach that people remember the most and probably one of the biggest security breaches that ever happened. In this breach, the Social Security numbers and credit card information of 144.5 million people were stolen. The breach occurred because a weakness in a web application framework was not fixed on time. This shows how important it is to update software promptly. 

WannaCry Ransomware Attack

This attack caused lasting damage, and thousands of computer networks were down. The UK’s National Health Service had to resort to paper and pen to run its facilities. This ransomware attack had a global impact on over 200,000 computers across 150 countries. It was caused by a Windows vulnerability that went unpatched. 

SolarWinds Cyberattack

The cyber-attack on the Solar Winds Orion platform was a comparatively rare type of supply chain attack. It involved hackers inserting viruses into the software updates. This breach impacted numerous US government agencies and private sector companies, highlighting vulnerabilities related to third-party software.

8 Cybersecurity Best Practices

1. Have a Data Classification Policy and Enforce It

No one understands the data better than the person who has to write the software to process and manage it. Software engineers have the responsibility to use the data as it was intended. Software engineers should be pushing for robust data classification policies and the enforcement mechanism. At the end of the day, if there is a misuse, software engineers will be held responsible, even if partially.

Data classification is about sorting data into different groups based on (a) how sensitive it is and (b) how much harm could be done if it gets seen by the wrong people. Such a classification, while simple, is effective since by having a plan for data classification: we can make sure that important information stays safe and is only seen by the people who should see it. It's also important to regularly check that we're following the rules and make changes to the groups when needed.

2. Have an Inventory of Data, Equipment, and Policies

A software engineer should be well-armed with an inventory of tools, information, and guidelines available to them to achieve security. They should be a proponent of such a culture and it makes their life eventually much easier.

Maintaining an up-to-date inventory of all data, equipment, and policies is critical in any effective cybersecurity management system. Such a list helps one to know which data are stored where and how they are protected. It also ensures hardware documentation, software installations, and vulnerability identification configurations.

3. Perform Regular Risk Assessments and Propose Improvements

One of the biggest tools in a software engineer's toolbox is a threat model. It involves a design diagram of all the software components involved, their interactions, and the entry-exit point of customer requests. Asking pointed questions amongst each other helps us assess the risks and avoid falling into the pit of unfounded assumptions.

Regular risk assessments enable you to identify threats or vulnerabilities in your development environment. These assessments must include internal and external factors, including employees and third-party vendors, and new cyber-attack trends. Based on the findings, you must propose improvements to strengthen the organization's security posture. 

4. Enforce Two-Factor Authentication (2FA) for All Login Attempts

Two-factor authentication provides additional security, as users must provide two types of identification to access accounts or systems. Therefore, even if login credentials get exposed, this would reduce the chance that unauthorized individuals can gain entry. Implementing 2FA across all platforms and applications is fundamental for securing sensitive data. 

While this sounds like an IT requirement, 2FA should be used to access all the critical software engineering platforms and portals. Would you like to log in to a jump host so you can access the cloud environments? Please make sure that 2FA is enabled for your workflow. If not, could you convince the person who manages the relevant infrastructure?

5. Have a Companywide Password Management System

The password management system provides a secure way to store and manage passwords, thereby fostering the development of robust and unique passwords for various accounts. It mitigates the risks of breaches occasioned by passwords and simplifies personal login credentials management. 

There can be many external systems without a single sign-on where we need to create another set of credentials, some of which can be shared with the team. Password managers are the best method for sharing these passwords or secrets among the engineers and the rest of the employees — no more sending secrets by email or chat messages.

6. Security Awareness Training and Phishing Tests

Training employees on cyber security threats and best practices is essential in creating a security-conscious culture. Security awareness training should regularly cover areas such as recognizing phishing emails, safe internet usage, and proper data handling procedures. Phishing tests can occasionally be conducted to determine whether employees can notice or report suspicious incidents.

This is even more important as a software engineer if you work on internal tools, which usually provide more expansive permissions. Talk to your security team or IT department about security awareness training. 

7. Encrypt All Internal and External Communications

Encryption ensures that sensitive information sent within and outside the organization remains confidential and secure. Robust encryption protocols should be deployed on all communication channels, including email systems, messaging apps, and file transfers. Thus, unauthorized access to information is prevented even if it has been intercepted during transmission.

AES-256 is a great encryption algorithm for data at rest. For data in transit, its better to use the defaults of any TLS library you use for communication. They usually default to AES-256, but choosing default ensures we are not trying out any lesser-known, less-investigated encryption algorithm. Even peer-to-peer machine communication should ideally use encryption. Using plaintext for communication between endpoints in a private network is possible, but it requires much experience locking it down.

8. Have an Incident Response Plan

The formulated incident response plan is instrumental in guiding an entity’s actions during a cyber threat, such as data compromise or ransomware infiltration. It encompasses preventive measures, responsive protocols, recovery strategies, and communication procedures. This plan's regular rehearsal and ongoing refinement ensure an organization's preparedness for potential security contingencies.

Most of the time, software engineers will be involved during the incident, and they will take a lion's share of responsibility for mitigation. Having such a plan ensures that you, as a software engineer, know your role and responsibility. 

Summary

In conclusion, while these practices look simple at first glance, software engineers must remember their importance. Sometimes, a good solution is the simplest. Having complicated policies that are open to interpretation invites confusion, which is what malicious actors are looking for. It works even better when the practices are woven into the organization's culture.

Application framework Management system Vulnerability Data (computing) security

Opinions expressed by DZone contributors are their own.

Related

  • Beyond the Obvious: Uncovering the Hidden Challenges in Cybersecurity
  • How to Fix the OWASP Top 10 Vulnerability in Angular 18.1.1v
  • How to Design Software to Reduce Breaches Caused by Human Error
  • Penetration Testing: A Comprehensive Guide

Partner Resources

×

Comments
Oops! Something Went Wrong

The likes didn't load as expected. Please refresh the page and try again.

ABOUT US

  • About DZone
  • Support and feedback
  • Community research
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • Become a Contributor
  • Core Program
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 3343 Perimeter Hill Drive
  • Suite 100
  • Nashville, TN 37211
  • support@dzone.com

Let's be friends:

Likes
There are no likes...yet! 👀
Be the first to like this post!
It looks like you're not logged in.
Sign in to see who liked this post!