- On 25. Jun 2018
Time is money and money obviously is what keeps a company running. Up until the very moment it doesn’t: product releases get postponed, stakeholders leave and so does your window of opportunity to conquer the market. The past five to ten years you spent building your new product or service, hundreds of hours of research and development – all gone. Time and money that you’ll never recover because you (allegedly) wanted to save a few bucks.
It doesn’t come as a surprise, that time (to think about) and money (to pay for) IT security is one of the top excuses why organizations decide against preventive security services, as our own research shows. Yet, in less security aware companies, sometimes more effort is invested in a car policy than a security policy. Companies might even invest a serious amount of time into researching whether the new Driving Assistant offers a certain feature or not. That leaves us with the impression that time and money may not be the limiting factor. The real reason might be that it is very difficult to measure a direct return-of-investment of any security related improvements, which makes it an unpleasant topic for any budget meeting. We totally get it.
Every day you can read about DDoS attacks here, an infiltrated company there or yet another personal data leak somewhere else. Not because companies don’t care about the security status of their products, because the paradigm has shifted. For the right price, you can get any company hacked, at any time. Unfortunately, that isn’t even remotely the scariest thing that could happen if you are in the software business.
Alexander Chvojka, CEO at ITdesign, and his team recently sat down with SEC Consult to talk about their experience (good and bad) with preventive security measures, how their R&D process radically changed over the past few months and what they would do differently if they were given the chance to do it all over again.
If you can’t think of a way to fix it, it is time to start over.
“The first security analysis of the current product release felt like a sledge-hammer to the face,” recollects Lukas Boldrino, Project lead and scrum master at ITdesign, “It pointed out that the current software architecture and 3rd party software packages were out-dated and had security leaks. As a matter of fact, there was nothing left to fix and we decided to start anew, from scratch…”.
Clearly, security audits are – excuse my French – a serious pain in the ass, especially when it comes to non-functional requirements. Even if everything was going well with only minor issues that could be fixed in time, you’d still have to invite offers, compare and select those proposals and schedule a test. With a security test (5 days), necessary preparation (5-10 days) and follow-up work (5-10 days), you are losing time and burning money. At every major release! Keep in mind, that this is just the ideal scenario. It just takes one issue to put your perfectly planned roadmap at risk. A few weeks delay might not seem much within a 3-year software project. In software development, pushing a final release for only 1-2 months is really good. Unfortunately, postponing a few milestones or releases also means not going to market as fast as possible, but a few months or even a year later. By then, you might have run out of funds to finish your product or – even worse – might have missed your window of opportunity to market your (no longer) state-of-the-art software product in the first place.
Of course, there is always Plan B: market your software without any prior security checks (because you blindly trust your inhouse-coders or won’t afford any audits) and hope that nothing happens. The huge stack of security advisories by the SEC Consult Vulnerability Lab clearly shows that Murphy’s Law does apply to IT security all too well.
Boldrino had to make the tough decision to start from scratch and was keen on doing it right this time – with a team of security experts on his side to constantly monitor the application’ security status from day one. Some time has passed since “doomsday” at ITdesign and their new software project is right back on track.
Q: What did you do differently this time, what did “starting over” mean exactly?
Boldrino: We knew we had to change something, so we teamed up with SEC Consult. We literally threw out everything which had been coded so far and took the time to define strict security requirements for all affected software and operating system components. We designed a completely new architecture and even took the chance to radically change our own development process.
Q: How did the team respond?
Boldrino: It took a lot of courage. And, most importantly, a lot of communication. Up until that very moment, we had a clean separation between frontend and a backend, which is kind of a standard in software dev, but it was breaking our neck. So, apart from changing our workflow on a process level, we started to include both teams into our daily sprint meetings.
Q: What was the role of SEC Consult in the dev process?
Boldrino: SEC Consult was taking care of security on a technical level, while our own team implemented data privacy procedures on a logical level, internally. Instead of losing precious time and inducing a lot of additional stress with every security audit, our releases were tested with no additional management overhead. No more worrying, no more missed milestones. Our timeline and resources were suddenly perfectly plannable.
Q: What about the financial side, IT professionals like SEC Consult probably don’t come cheap?
Boldrino (laughing): Yeah, well, that’s what everyone else might think, but the numbers speak differently. Compared to your overall development budget, the costs for SEC Consult’s Application Security Monitoring are minimalistic. Maybe 10% or so. You are, by far, worse off if you miss your launch date because of something unexpected, trust me. Keep in mind, that even a small security fail might result in an extra month of development time. That’s like two sprints in a project that lasted a year or two. You see, a month is NOTHING, not even noteworthy for a developer, really. Just think about how much money you can save on salary because you planned for automated testing in the first place and you do stay on track because of that. You have total transparency over your progress and costs… you’ll see, you can afford Application Security Monitoring quite easily. And you should.
Q: If you integrate Application Security Monitoring into your process from the start, doesn’t it take you longer to have your product ready to market?
Boldrino: Quite the contrary! Yes, initially you do spend more time for concept, requirements engineering and, in our case, implementation of a new process. But -and I’d like to stress the importance of this- your MVP is functional, secure AND ready for beta customers, which is incredibly helpful. You get feedback so early in the process, that you still polish those things for the next version. Meanwhile, your customers and potential investors get to see something real. Something that works. Something they want to buy. And who doesn’t want that?
Q: Would you recommend Application Security Monitoring to other companies?
Boldrino: A definite Yes. Although, now that I think of it, I guess we would be better off if our competition doesn’t integrate it (laughs). But seriously, there is so much to learn. Your work gets more efficient and less stressful, you have more time to focus on your core tasks and don’t have to worry about anything GDPR related. Also, you are building up expertise within your team. Once you have those security guidelines in place, you can re-use them for the next project. Priceless, if you ask me.
Q: Would you team up with SEC Consult for a future project, even though you’ve already learned everything there is to know about how to do it “right”?
Boldrino: Without a doubt. Sure, we might be able to do well on our own the next time but there are three things to keep in mind:
- First, you can’t keep up with all the vulnerabilities that spring up like mushrooms every day. Unless you have a team of inhouse-experts to do that, of course. We don’t. ITdesign is specialised in software development, not application security.
- Second, if you team up with a well-known company like SEC Consult, your own equity and expert status rises as well. You can show off that you invest into security. You know how it’s done. You show strength by partnering up with the best of the best. And that is something customers love. It is kind of a unique selling proposition, actually.
- Last, but not least, by staying on top of new developments, you are more likely to adapt to changes and try out new things. You can do that, because you have an expert on your side, all the way. You don’t have to worry to be overtaken by technology itself. And being an early bird in software development is a clear competitive advantage.
Q: Thank you for your time.
Boldrino: Thank you for the opportunity!
More about Application Security Monitoring by SEC Consult
New methods of attack are evolving. Cybercriminals get more creative every day. The necessary application protection has to be flexible and to keep up the pace but it exceeds a classic security audit by far. Our Application Security Monitoring (AppSecMon) provides a constantly updated risk assessment adapted to the current threat landscape. You’ll obtain necessary tools for active and ongoing monitoring of applications as well as the associated infrastructure to address security gaps.
Ready to step up the game? Get in touch.