As someone working with developers and concerned about software security, you want the ‘how to do it’. Not the technical detail, but how you can change your professional approach and that of your colleagues to deliver adequate software security at a minimum cost. You reach for the dummies guide, and there’s nothing like that available. This online book addresses that gap.
Not so long ago, software developers mostly lived in a world of safety, in which crime and accidental privacy loss were virtually unknown, prevented because the computers stood alone and rarely communicated with each other. Nowadays every computer and every application is essentially part of a world computing network, widely accessible to other people; and criminals and accidental disclosure can hurt large numbers of people very badly.
We all know the stories – grandmothers losing their life savings to online fraudsters; cars potentially crashing at speed because their control systems are compromised; hospital patients dying because the hospital computers are encrypted by an ‘Internet Worm’. In 1990 such things were hardly considered; in 2000 only science fiction writers worried about them; in 2010 we started to see real problems; and by 2018 as I’m writing this, most people have encountered the risks and dangers of software security problems. And they’re right to be worried.
Clearly software developers can have a part to play to keep software users from harm. In this book we’ll explore how we can do this, and what helps a development team – programmers, testers, managers and product managers – to achieve security without compromising all the other demands on ourselves.
Six years ago, the lead author, Charles, was running Penrillian, a 20-strong company devoted to creating leading edge software for mobile phones. Our customers were mainly mobile operators (‘carriers’), and we were delighted to receive the commission to produce the first commercial Android mobile money application. Our knowledge of software security was sketchy, so naturally we went to the internet to learn how to tackle secure software development. We found a good deal of information on how to use low-level APIs correctly; instructions how to sign apps; and a lot of horribly-detailed descriptions of ‘All The Things That You Might Do Wrong’. Nowhere could we find a friendly step-by-step introduction to creating and verifying an software design that would satisfy a given set of security needs. Charles was horrified at the omission, and when he had the opportunity to return to the academic life, he joined Security Lancaster and chose this as an area to study.
Two years later, NCSC, the government agency tasked with improving Britain’s cybersecurity, challenged the Developer-centred Security team at Security Lancaster to research interventions for software developers. They asked what would make a good intervention to help a software development team achieve better security; how would such an intervention work with different types of team and culture?
To find the answers, we first asked a range of some of the most successful people working to help software developers produce secure code, and analysed how they did it. We looked for positive approaches – most security experts love discussing attacks and failures, so this was harder than you might expect!
Based on that analysis, we put together a package and have been trialling it on a variety of development teams; we call this package ‘Developer Essentials’. We’ve conducted highly-structured trials with several companies and improved the package from the results. This book describes both the Developer Essentials package, and explains why each step is important, and how you might want to take it further.
Our mission with this book is to help you to get your team good enough at software security, with a minimum of effort and even a certain amount of fun.
This book is designed to be easy to read a section at a time. Each section takes less than five minutes to read, and covers one step on improving the security of the code delivered by a development team. You can get to each one individually through the buttons on the left-hand side of each page in this book, or read them in order using the buttons at the end of each page. Each has some introductory explanation, instructions where appropriate how to incorporate it into Developer Essentials, and then discussion of alternatives and different ways to implement it. Most sections also have amusing illustrations by cartoonist Noel Ford.
If you’re planning to run the Developer Essential package yourself, we recommend reading all the ‘Developer Essentials’ sections before you start, since some are introduced within other steps. For example, Component Choice is something for the Developers to consider themselves in the Risk and Cost workshop. If you’re interested in a wider view, then read the whole of each step.
Secure development involves a range of people: programmers, testers, project managers, product owners and perhaps other roles. Throughout this handbook, we’ll refer to all of them as ‘developers’. There are many aspects to software security. Some authors like to distinguish ‘security’ (against malicious attack), and ‘privacy’ (from legitimate users); in this handbook we call both ‘security’.
We’ll also include quotations from experts. And much as we’d like to give full credit, the quotations come from interviews done on condition of anonymity – so instead we have cited the role of the speaker.
This guide will continue to develop. As we learn from further trials of the techniques and as people tell us what can be done better we’ll incorporate the improvements.