Cybersecurity and the Software Development Life Cycle

-
Cybersecurity and the Software Development Life Cycle

A business should consider cybersecurity from every angle when developing software, such as the OpenEye Web Services (OWS) cloud-managed video platform. The product’s architecture should be inherently secure from the beginning of the design phase. Trust boundaries should be mapped, looking for places where there could be potential issues. That should then be reviewed by security-focused personnel and senior engineers. An architecture that is more complicated than it needs to be could create a security issue if one aspect isn’t implemented just right.

“Right out of the gate, OpenEye has a pretty heavyweight approach for security because if you don’t get the foundation right, the software or system can be vulnerable in spite of the best implementation later on,” said Jake Sink, OpenEye’s Principal Software Architect.

Software development best practices

Best practices for software system design were introduced in the 1970s. According to SAFECode’s Fundamental Practices for Secure Software Development, best practices include keeping the system’s design as simple as possible, programs and users operate using the least set of privileges necessary, human interface is designed for ease of use, record compromises of information, among others.

Additional principles have been added such as “defense in depth,” in which a system is designed so it can resist attack if a single vulnerability is compromised, and “design for updating,” where designers plan for future security updates.  In addition, the paper recommends having an encryption strategy, standardizing identity and access management, and rigorous testing, such as Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST) and penetration testing.

The U.S. National Institute of Standards and Technology (NIST) recommends a Secure Software Development Framework, a set of secure software development practices. “Following the SSDF practices should help software producers reduce the number of vulnerabilities in released software, reduce the potential impact of the exploitation of undetected or unaddressed vulnerabilities, and address the root causes of vulnerabilities to prevent recurrences,” the agency said on its website.

OpenEye cybersecurity assurance

OpenEye has processes in place to ensure a secure architecture, including testing and reviews by subject matter experts, quality assurance personnel, developers and others. Next, one must consider security of how the software operates, whether in the cloud or on a device. What are the possible exploit scenarios? What could go wrong? How might someone try to work around a security measure? The next layer is the coding process. This step of the lifecycle includes an analysis of the code and peer reviews. Developers should use common patterns that can easily be scanned and evaluated for errors.

“People aren’t perfect, and even your best engineer could make a mistake one day. We want to build in the fail safes to prevent that kind of thing from being possible to manifest as a security issue,” Sink said.

OpenEye has a heavyweight approach for security because if you don't get the foundation right, the system can be vulnerable.

The integrity of the code running on the OpenEye Web Services platform also must be evaluated. And there are checks and balances and a process in place to ensure testing happens throughout development. Automation at some of those checkpoints ensures consistency.

OpenEye performs SAST, DAST, penetration and other testing throughout the development cycle.

“Whether developing a new feature or making a change to the software, we look at things from inception with as much depth as possible. Then we look at implementation and make sure that’s secure, using both human and machine learning. We perform a static analysis and then finally ensuring the integrity of the software being released.”

When a project is complete, a postmortem discussion can help provide feedback and lead to adjustments for the future.

“You’ve got a virtuous development life cycle going that helps us with our quality and our productivity, as security framework and process improvements build on one another as the development lifecycle repeats,” Sink said. 

OWS cybersecurity features

  • Ability to audit user activity
  • Automated lost password resets
  • Automated software updates
  • Cross-site request forgery protection and other web browser-based security measures
  • Digital signature verification
  • HTTPS video and data transmission
  • Multifactor authentication
  • NIST-compliant data encryption
  • No open inbound ports
  • Single sign-on to access remote clients and reduce the potential for rogue remote clients
  • Capability for customers to implement “least privilege” for their own security and compliance requirements, through robust and fine grained role based access control (RBAC) features in OWS 

About OpenEye

OpenEye, the cloud video platform company, provides solutions for video security, business intelligence and loss prevention. For over 20 years, it has been committed to developing an easy-to-use, comprehensive video management system backed by Heroic Customer Service® and support. OpenEye’s solutions are available globally through a trusted network of certified service providers. Visit openeye.net.


OpenEye is developing the future of surveillance in Liberty Lake, Washington