A business should consider cybersecurity from every angle when
developing software, such as the OpenEye Web Services (OWS) cloud-managed video
platform. The product’s architecture should be inherently secure from the beginning
of the design phase. Trust boundaries should be mapped, looking for places
where there could be potential issues. That should then be reviewed by
security-focused personnel and senior engineers. An architecture that is more complicated
than it needs to be could create a security issue if one aspect isn’t implemented
“Right out of the gate, OpenEye has a pretty heavyweight approach for security because if you don’t get the foundation right, the software or system can be vulnerable in spite of the best implementation later on,” said Jake Sink, OpenEye’s Principal Software Architect.
Software development best practices
Best practices for software system design were introduced in the 1970s. According to SAFECode’s Fundamental Practices for Secure Software Development, best practices include keeping the system’s design as simple as possible, programs and users operate using the least set of privileges necessary, human interface is designed for ease of use, record compromises of information, among others.
Additional principles have been added such as “defense in
depth,” in which a system is designed so it can resist attack if a single
vulnerability is compromised, and “design for updating,” where designers plan
for future security updates.
The U.S. National Institute of Standards and Technology (NIST) recommends a Secure Software Development Framework, a set of secure software development practices. “Following the SSDF practices should help software producers reduce the number of vulnerabilities in released software, reduce the potential impact of the exploitation of undetected or unaddressed vulnerabilities, and address the root causes of vulnerabilities to prevent recurrences,” the agency said on its website.
OpenEye cybersecurity assurance
OpenEye has processes in place to ensure a secure architecture, including testing and reviews by subject matter experts, quality assurance personnel, developers and others. Next, one must consider security of how the software operates, whether in the cloud or on a device. What are the possible exploit scenarios? What could go wrong? How might someone try to work around a security measure? The next layer is the coding process. This step of the lifecycle includes an analysis of the code and peer reviews. Developers should use common patterns that can easily be scanned and evaluated for errors.
“People aren’t perfect, and even your best engineer could make a mistake one day. We want to build in the fail safes to prevent that kind of thing from being possible to manifest as a security issue,” Sink said.
OpenEye has a heavyweight approach for security because if you don't get the foundation right, the system can be vulnerable.
OpenEye performs SAST, DAST, penetration and other
testing throughout the development cycle.
“Whether developing a new feature or making a change to the
software, we look at things from inception with as much depth as possible. Then
we look at implementation and make sure that’s secure, using both human and
machine learning. We perform a static analysis and then finally ensuring the
integrity of the software being released.”
When a project is complete, a postmortem discussion can help
provide feedback and lead to adjustments for the future.
“You’ve got a virtuous development life cycle going that
helps us with our quality and our productivity, as security framework and
process improvements build on one another as the development lifecycle repeats,”
OWS cybersecurity features
- Ability to audit user activity
- Automated lost password resets
- Automated software updates
- Cross-site request forgery protection and other web browser-based security measures
- Digital signature verification
- HTTPS video and data transmission
- Multifactor authentication
- NIST-compliant data encryption
- No open inbound ports
- Single sign-on to access remote clients and reduce the potential for rogue remote clients
- Capability for customers to implement “least privilege” for their own security and compliance requirements, through robust and fine grained role based access control (RBAC) features in OWS
OpenEye, the cloud video platform company, provides solutions for video security, business intelligence and loss prevention. For over 20 years, it has been committed to developing an easy-to-use, comprehensive video management system backed by Heroic Customer Service® and support. OpenEye’s solutions are available globally through a trusted network of certified service providers. Visit openeye.net.