By: Surinder Dhar – Director of Mobile Solutions, Business Development
Innovation is the cornerstone of any enterprise that aspires to be a market leader or to maintain their leadership position. Although security is top of mind for most enterprises, it is still not part of their innovation cycle. This is evident in the survey by Bromium (The CISOs Dilemma: Security Versus Productivity), where they found 74 percent of CISOs say end users are frustrated that security disrupts productivity and 81 percent say end-users see corporate security policies as a hurdle to innovation.
It is a widely held belief that security restricts the pace of innovation so these statistics should not surprise us. This is a result of an IT-focused mindset from the past few decades that if it is not broke, do not fix it. IT has transformed over the past decade through the implementation of agile, DevOps, cloud/edge computing, continuous integration and automation, ultimately making security much more complicated. The number of data breaches and cyber-attacks has increased in frequency every year and there doesn’t seem to be an end in sight.
At Valid, we have decisively moved away from this mindset and do not think of security as a roadblock to innovation but an opportunity to bring better products to the marketplace. Additionally, we believe security is more than an add-on to a product/service or just an added feature to make it successful. As a company that delivers new and innovative products, we are continuously looking at how to increase security for our portfolio of products.
Security takes hard work, innovative thinking and needs to be addressed on a continual basis. It starts by applying security processes at the very beginning of the product development cycle while simultaneously building out the necessary teams and processes to allow for innovation. The classic “security by design” approach is effective during implementation as it mandates addressing common types of architectural weaknesses. This constitutes a security-first mindset for software and product developers to avoid fundamental design problems in both architectural design, implementation and helps to develop novel techniques to identify and mitigate such flaws. Some techniques employed in “security by design” include:
- Session Fixation Attack: Session Fixation is an attack that permits an attacker to hijack a valid user session. The attack explores a limitation in the way the web application manages the session ID, more specifically the vulnerable web applications.
- Threat Modeling: Threat Modeling can have many meanings but these definitions should include:
- Going through the analytic process to figure out what might go wrong with the software or product you are building.
- Building up a set of remote attackers and developing ways to mitigate those attacks.
- Architectural Risk Analysis: Architectural Risk Analysis is a systematic approach for evaluating design decisions against quality requirements. For Architectural Risk Analysis to be effective, evaluators need to have previous knowledge of architectural flaws based on the software context such as its requirements, architectural tactics applied, etc.
- Security Training: Providing proper training of employees to develop a common background in secured solutions.
These techniques have become increasingly popular and research will only continue to grow as security threats remain prevalent. Security management is no longer a retrospective compliance-driven exercise but a transformational process required for smart innovation and must be woven into business strategy.