Building Software Immunity

What is the best way to build our immunity against various diseases, viruses or bacteria?

1. Healthy eating habits 
2. Exercise
3. Vaccines
4. All of the above

Most of us would agree that the last option is the way to keep ourselves healthy.

I wonder... can we immunize software systems? Are there any good habits or vaccines against all types of attacks or viruses? I believe the short answer is yes. For a long answer, keep reading.

Software Security: A Need (Not Just a Requirement)

As Marc Andreessen wrote, software is eating the world. Rapid adoption of software during COVID-19 has been phenomenal. Software has  been instrumental in keeping the world sane. Software systems are allowing us to stay together and safe. 

Nevertheless, it is an opportunity for malicious attackers (read: hackers) to exploit software systems for various reasons. Software security is no longer a non-functional requirement but a necessity to ensure the integrity and security of our own identity and presence in the digital world. Imagine losing all of your money or having your identity stolen. The security of software systems is no longer just a checkbox; it needs to be part of the software development and operational lifecycles. 

Here are some ideas analogues to building our own immunity against biological viruses, bacteria or diseases.

1. Healthy Habits

While building immunity, the first thing that comes to mind is healthy eating habits. Building any software application requires similar healthy software development habits. There are many, not limited to the below ones:

• Good development practices need a security mindset.
• Every conscious decision made by software designers or programmers, such as choosing the right programming language, managing input, or handling data, needs to take the various kinds of attacks or integrity issues (that may make the software vulnerable) into account.
• Secure coding practices, like the OWASP cheat sheet, are excellent ways to understand and incorporate concepts such as threat modeling and proactive security controls into software development.
• DevSecOps, or DevOps with security, allows software systems to evolve quickly with automations that detect security vulnerabilities and prevent vulnerable code or components from being deployed. 
• Used effectively, this can expedite security patches in a timely manner without any impact to end-users. 

2. Exercise

To be robust and strong against various attacks, each software application needs to build its own muscles with good design and architecture.

Software systems with high availability and integrity are inherently more secure and avoid retroactive vulnerability fixes.

Secure design practices, such as domain-driven design and the fail fast principle, allow us to capture strict and unambiguous representations of the domain model, leaving any flaws outside the bounded context.

Designing secure software takes focused effort, but it is much wiser than troubleshooting and resolving issues or vulnerabilities later during testing or after deployment.

3. Vaccines

Lastly, a good vaccination in the form of various security testing processes, such as SAST, DAST, or MPT (pen testing), is necessary.

These processes allow us to simulate various attacks on the software under development or test the software before it goes to production.

It makes us aware of various new forms of attack or new vulnerabilities and allows us to prepare for them.

The process of resolving such vulnerabilities needs to be efficient in order to allow any fixes to be patched before an actual attack can happen (DevSecOps plays an important role here).

Concluding Thoughts

The above analogy may be counter-intuitive, but the need for software immunity (security) is real. Each of these areas are broad and can span many pages or books. Infrastructure, networks, databases, and orchestration platforms are other areas that deserve their own share of focus from a security standpoint. In multiple layers of defense against cyber attacks, software application security is crucial and the closest to the core of the software.