If you run a web application, there is an increased risk of data breach and with the terrible consequences that it can bring to your customers and your brand, software development and cloud deployment should be a cornerstone of your risk management and security approach.
So how do you apply that when you build software as a service applications or website projects with content management systems? Let's get to it.
Frameworks can make it sound easy
With all the tools and frameworks in modern software development, it is giving us greater speed, agility and powers, but it also comes with some additional risks. Because when you're architecting a new digital application, you want to make sure that every line of code that you write, every feature that you build is going to be guarded against compromises.
And it's quite a complex domain. It's not just the code that the developers are writing, but it's the overall ecosystem that the code will exist in - like the hosting infrastructure where it's running. You need to consider both to protect the confidentiality, the integrity, and the availability of all the user data, the personal or sensitive files... you have to deal with the encryption, configure the environments and enable secure administration with full auditing capability over all of this. The security list is really, really long.
Following industry standards
Luckily there are several standards to help us: the OWASP guidelines highlighting the most critical security risks to web applications.
There is the ISO 27001 for information security management systems, and guidance from governments with the NCSC in the UK or CISA in the USA. It gives us good domain knowledge and derived from experience, we can ensure that everything remains compliant and safe.
How to remain secure during development
To remain as secure as possible for our projects, this is how we deal with it in our agency:
- The most important is to build a security culture. Our ISO certification drives a lot of this from the onboarding or training and regular improvements, making everyone accountable for security.
- We also use industry standards and follow best practices when developing code, using trusted sources that are peer-reviewed in the open-source community. That's why we find the framework like Drupal and Laravel have global communities to always stay on top of the ever-changing threat landscape.
- We developed our own processes for the most common tasks that we undertake on all projects. We have processes to deal with issues, so we can apply SLA on bugs or security patches.
- We also invest time in refactoring to reduce technical debt and improve the stability of our applications, so that it can be extended and maintained effectively over time. We'll talk about that more in my next video.
- We use infrastructure as code to automate secure configuration on the network between the server and the database and the entire deployment pipeline for the stack.
- For the most critical projects, we invest in additional external penetration testing. It's always good to get our work being audited by external security professionals and reassures our client.
Security is hard
As you can see, there is so much to consider when it comes to security. Once you have a minimum viable product and you need to scale your application, this is why you always need to consider hiring a large team of professionals to support your product development.
You can have a great contractor, a great developer at much cheaper rates, but if they don't understand the whole spectrum around security and the compliance requirements of both the code and the hosting infrastructure, it is just a disaster waiting to happen... and you don't want that.
If you need help with planning, executing, or monitoring your security standards in web application or cloud hosting, just get in touch. Don't forget to subscribe to my YouTube channel and follow me on Twitter to keep learning with me and grow your career in digital.
Until next time, stay safe and see you soon.