The world of software development is inherently creative and collaborative. Geographically diverse teams make applications, and people on these teams often ask friends outside of the team to review their code. New technology makes sharing and collaborating easier than ever, but it also makes containment and distribution control harder. Security teams view programmers and designers as threat agents, creating occasional animosity between the two groups
Cloud security for software development, like that offered by Trend Micro, is undergoing rapid changes in thinking. Innovations like containers keep making their way into the development environment. Still, your developers have access to some of your company’s most sensitive information. It’s crucial to take precautions that protect your application development environment.
1. Isolate Development from Production
In some industries, such as financial services, audit rules require separation of development, test, and production environments. It keeps untested code changes from deleting or corrupting production data, and it keeps developers from having access to test and production systems.
Scott Ambler, an Agile software development expert, suggests five sandboxes for the software build. Your need for each box depends on your organization and project size, but the concept of isolation matters most.
- Development. In addition to being the sandbox for initial coding, it’s also the place to which all broken build, bug, and problem reports get sent. One best practice is to set up an editorial domain that you don’t have to register with DNS. You can restrict access based on IP address or require a VPN for login.
- Project integration. In this sandbox, developers test code before sending it on for integration. It’s a place to test individual projects, not entire applications.
- Demo. The Demo sandbox holds working software for demonstration to stakeholders.
- Pre-production. This environment simulates your actual production environment and allows you to test your application and how it works with other applications.
- Production. Deploy the application into production only after rigorous testing and debugging.
2. Secure the Endpoints
Most developers connect to the environment using endpoints that have varying levels of security. They also use storage media, particularly USB drives, to transport their files from place to place.
Requiring antivirus on laptops and at least on Android mobile devices is a given. If you’re working with a particularly sensitive application, consider encrypting endpoints. Also, prohibit external storage media from connecting to the development environment. Stuxnet, arguably the world’s first known cybersecurity weapon, came from a USB drive designed to infect a programming environment.
3. Keep Code in the Environment
In addition to creating secure endpoints, do your best to keep code within a secure environment. In addition to prohibiting USB usage and restricting IPs, take these steps:
- Avoid public code repositories. Make sure your developers know that unless you’re working on an open-source project, your proprietary code can’t go on Github.
- Keep code on private servers. Avoid storing code on public Web servers and in the public cloud until you really need the scalability of the public cloud, which probably doesn’t happen until pre-production.
- Store backups within the development environment. Code backups to non-secure environments can put sensitive information at risk, and retrieving the information from a non-secure environment could be an open invitation for malware.
- Keep a record of who accesses the code. It’s crucial to log any instances in which an authorized person checks source code in or out.
4. Audit All the Time
Auditing code to ensure that no malicious functions or vulnerabilities enter into production is a given. All tests should cover 100 percent of the source code, particularly when the code is written in a scripting language that can lead to malicious code from outside access.
In addition to auditing code, run periodic security checks on all programmers, designers, and others who work in the Web application development pipeline. Your developers have access to the most sensitive intellectual and financial information in your company, so don’t hesitate to re-screen them on a regular basis. They should know that it’s standard procedure for your company.
5. Blend Security and Innovation
Always remember that the degree to which you implement controls depends on the sensitivity of the project. If you’re not working in a heavily regulated industry, or you’re not protecting highly sensitive IP, you might not need to encrypt every developer’s laptop. Strike the right balance between tight security and open, free-flowing collaboration.