No matter what is the size of your website, your project is handling sensitive information or it’s just a feedback form, Cyber Security matters for all.
You are a novice or an expert, a developer, QA, or a solution architect, in your team. A team should have basic knowledge of cyber security.
In the project life cycle, security risks must be evaluated and decided by the solution architect or project lead before the start of the project. This can vary depending on the infrastructure, where the application will be running. We can divide security into different levels that require consideration.
Application Security
Hosting, gateway & network Protection
Voice, Access Security & Security Management.
Application security comes from the delivery team that is developing the API/website. How sensitive and serious is your team about security depends on the culture of the team. Some teams have a specific role for security experts within the team or a different department, but security starts from the developer. Security is not something that comes later after the site is ready for release or has been released. The team should take security into account right from their planning. In Agile methodology, the developer’s focus remains on solving the problem at hand and meeting the acceptance criteria of the story, and as a result, security aspects are easily ignored if those are not part of A/C.
We have different roles within a team. A developer develops something, but a member of QA can still find the bugs. It is because they are looking at the problem from a different perspective. The same goes for hackers they look at our applications with a different perspective and if someone is not looking within the same perspective as the hackers do, then the developer’s code becomes vulnerable. Developers must be aware of possible vulnerabilities and threats. OWASP helps and has provided a lot of material for possible vulnerabilities.
“Every developer in the team should have knowledge of at least OWASP Top 10 vulnerabilities and how those can be prevented.”
No one expects that everyone in the team is a security expert but stories that require serious security considerations should be reviewed by some senior wearing security expert hat.
CWE provides the list of the top 25 software weaknesses that can be considered also during the review. It will be ideal if the team is familiar with “Top 25 Most Dangerous Software Weaknesses”.
The team needs to familiarize also with GDPR, related aspects, those will also require consideration during planning.
Dynamic Application Security Testing (DAST) tools are available that can be integrated into the CI/CD pipeline to audit code on a regular basis.
Just with small extra care and attitude, we can build more secure applications. Here is a security checklist for your EPiServer website.