Security Within Your Development, Staging, and Production Environments

When information security, data security, and cybersecurity measures aren’t followed in development, staging, and production environments, the consequences can be detrimental. We’ve seen that time and time again. Last year, a bug bounty discovered a data breach at Imperva – a leading provider of firewall services. How did it happen? An unauthorized user stole an administrative API key from a production AWS account. What was the mistake behind Uber’s 2016 data breach? Developers published code that led to hackers gaining access to developers’ privileged accounts and to Uber’s servers.

Are your developers following the security standards you’ve put into place? Are you aware of the security concerns with DevOps? Let’s discuss how to securely manage multiple environments, from development to deployment.

Development, Staging, and Production Environments

A typical development workflow has three environments: development, staging, and production. Some developers don’t view staging as an environment, but we included it here to give you a full scope of the process.

Development Environment

A development environment is on your computer. It’s the environment where you’ll conduct all your code development without touching with the actual data. In development, you can test upgrades, new features, and improvements without impacting the customer’s view. You may find bugs along the way, but that’s what this environment is meant to discover.

Ideally, the development environment is similar to the production environment, with the same operating system, tools, software libraries, and a copy of the product data. Developers will often use virtual machines or container systems like Docker to mimic the production environment, ensuring that code that works in development will also work in production. 

Typical use-cases for a development environment include:

  • Building new features, extending existing features, and code refactoring.
  • Running integration tests. 
  • Debugging.

There are few restrictions on what developers can do in their development environment, and they are free to experiment with code until they are happy with it, at which point they will push it to the staging environment.

Staging Environment

The staging environment is a production-like environment to see how your code will perform. This is the final testing ground before the code is pushed into production. Staging environments are often used for:

  • Quality assurance and performance testing.
  • Vulnerability testing and risk analysis.  
  • Integration testing, to ensure that the code integrates well with services and databases the app depends on. 

Staging environments also give other developers, project managers, and clients an opportunity to examine software before it goes live. 

Because extensive testing takes place in the staging environment, it’s important that it is as similar to production as possible, including both the software and hardware. While it’s fine to host a development environment on a laptop, the staging environment should be on a server with the same hardware it will run on in production. 

Production Environment

In a production environment, systems go live and your developed code is released to end-users. You deploy completed code that has endured proper vulnerability testing and risk analysis. All of the testing is complete and there’s the expectation that you’ll find only minor bugs, if any. Once it’s released, you’re relying on it as a profit source, so you want to make sure it’s secure

In theory, major bugs and software vulnerabilities should have been discovered before the code goes to production, but that’s rarely the case for complex software systems. It is likely that at least some bugs made it through testing, so organizations must design and  implement network and data security systems that assume the existence of vulnerabilities. 

Importance of Security Throughout Dev, Staging, and Production

With multiple environments comes the difficulty of securely managing them. Best practice is to separate your development, staging, and production environments. This allows each to evolve at its own pace – maybe the development environment is testing out features that won’t be available in production for at least a year – and reduces the risk of cross contamination. Any bugs discovered in staging, for example, will be contained within that environment and not spread any further. Most importantly, keeping your development, staging, and production environment separate will help protect data.

In audits or penetration testing, we see many organizations failing to test their test all of their environments, but there could be a vulnerability in the test environment that compromises the production environment. It’s problematic to avoid testing all environments.

Security Concerns in DevOps

For organizations that use the DevOps approach, security is an even greater concern. It’s face-based, there’s more overlap, there’s automation – there are many reasons to implement and verify security processes in DevOps.

To preserve high-level compliance practices within your development, staging, and production environments, you can implement configuration management techniques, monitoring and logging processes, and even integrate infrastructure as code or policy as code. You can set yourself up for success by performing regular code review during the development process, making changes proactively to all environments, confirming that you have limited access to the proper channels, or even engage in continuous penetration testing to ensure no vulnerability is overlooked. These practices will ensure you’re doing your due diligence to securely manage your various environments.

If you’re interested in advanced penetration testing services that will locate your vulnerabilities and help you avoid harmful gaps in your code, KirkpatrickPrice can help! Contact us to learn more.

More DevOps Security Resources

Think Like a Hacker: How Could Your Mobile Apps Be Compromised?

Best Practices for Configuring Your AWS Perimeter

PCI Requirement 6.5 – Address Common Coding Vulnerabilities in Software-Development Processes

Encrypted Backups: What They Are and How to Use Them

Today’s cyber landscape is riddled with advancing threats. From simple phishing attacks to intricate DoS attacks, businesses must ensure that the data they collect, use, store, and transmit is properly and thoroughly secured. After all, the data that companies hold is one of their greatest asset, so being aware of the consequences associated with losing that data is essential. For this reason, we believe that it’s imperative that organizations encrypt their backups. So, what are encrypted backups? What do you need to know about how to encrypt backups? Let’s discuss.

What is an Encrypted Backup?

To put it simply, an encrypted backup is an extra security measure that is used by entities to protect their data in the event that it is stolen, misplaced, or compromised in some way. Often times, however, many businesses confuse encryption with hashing. Let’s be clear: they are not the same.

Hashing vs. Encryption

The main difference between hashing and encryption is that a hash is not reversible. You cannot take a hash value and derive the original source. In fact, a hash acts somewhat as a fingerpoint, and it’s known to attack (i.e. collisions or rainbow tables). On the other hand, encryption is reversible. It can take the ciphertext and derive the original source if the decryption keys are known.

How to Encrypt Backups

There are various ways to create encrypted backups. If you’re stuck on determining how to encrypt backups, you can start by determining which method is best for your organization by considering factors such as types of data stored, environment types (cloud, hybrid, physical), personnel and technical experience, industry, applicable framework requirements, and more. The most common types of encryption are symmetric and asymmetric.

Common Types of Encryption

  • Symmetric Encryption: Symmetric key algorithms for cryptography that use the same cryptographic keys for both encryption of plaintext and decryption of ciphertext.
  • Asymmetric Encryption: Asymmetric encryption is a form of encryption where keys become come in pairs. Frequently, but not necessarily, the keys are interchangeable, in the sense that Key A encrypts a message, then Key B can decrypt it and vice versa. With asymmetric encryption, both the private and public keys make up the key pair, and both are required to encrypt and decrypt the data.

Framework and Legal Requirements for Encryption

While this list is not exhaustive, some of the most common framework and legal requirements for encryption include the following:

  • PCI DSS: Requirement 3.4 says, “Render PAN unreadable anywhere it is stored (including on portable digital media, backup media, and in logs) by using any of the following approaches: one-way hashes based on strong cryptography (hash must be of the entire PAN), truncation (hashing cannot be used to replace the truncated segment of PAN), index tokens and pads (pads must be securely stored), strong cryptography with associated key-management processes and procedures.”
  • HIPAA: According to the HIPAA Security Rule technical safeguards, 45 CFR § 164.312(a)(2)(iv) includes an addressable requirement that covered entities and their business associates, “Implement a mechanism to encrypt and decrypt electronic protected health information.” While this requirement is nebulous, you can learn more about the requirements here.
  • GDPR: Article 32(1)(a) states, “Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: the pseudonymisation and encryption of personal data.”

Benefits of Encrypted Backups

It’s no secret that data is a highly sought-after asset, and malicious hackers and organizations will stop at nothing to get their hands on your organization’s data. However, internal threats are equally as important to consider. But, if you’re proactive and implement robust encryption practices to protect your backups and data, you can reap many rewards. For example, in IBM’s 2019 Cost of a Data Breach Report it’s explained that “extensive use of encryption, data loss prevention, threat intelligence sharing and integrating security in the software development process (DevSecOps) were all associated with lower-than-average data breach costs. Among these, encryption had the greatest impact, reducing breach costs by an average of $360,000.” Aside from lowering the potential cost of a data breach, encrypted backups can protect your organizations assets, position you organization as a trustworthy and reliable organization, and provide your customers with the peace of mind they deserve.

Still questioning what an encrypted backup is? Need more information on how to encrypt backups? Contact us to talk to one of our Information Security Specialists today, and let KirkpatrickPrice be your expert partner as you navigate how to ensure the security of your data through encrypted backups.

More Information Security Resources

How to Scale Your Information Security Program as You Grow

Is Endpoint Protection a Comprehensive Security Solution?

Are Your Remote Employees Working Securely?

What is a Secure Software Development Life Cycle

Have you ever worked on a project without a clear direction or guidelines? It can be stressful and pointlessly chaotic. Without structure and task lists, what could have been a basic project turns into a mess of miscommunication. The same principle applies to software development management.

In an age when software development is a core function of most organizations, specific and detailed processes need to be in place to ensure information systems are well developed. What is a secure software development life cycle (SDLC)? What should you include in your SDLC? Let’s talk through these software development life cycle basics.

What is a Software Development Life Cycle (SDLC)?

A software development life cycle (SDLC) is a framework that helps define tasks and work phases that are used by system engineers and developers to plan, design, build, test, and deliver information systems.

Why is software development management important to your organization?

It’s about maintaining a secure environment that supports your business needs. It’s made up of policies, procedures, and standards that guide your organization’s secure software development processes.

What Are Some Secure Software Development Models?

There are many software development models that can be implemented in your organization. These methodologies include:

  • Waterfall
  • Agile
  • Lean Software Development
  • DevOps
  • Iterative Development
  • Spiral Development
  • V-Model Development

Waterfall

The waterfall is a sequential linear approach to development. A development project passes through clearly defined phases, each of which produces a deliverable that passes into the next phase. Phases include requirements, analysis, design, coding, testing, and operations. 

Agile

Agile development is an iterative and incremental approach to development. In contrast to the waterfall method, the process is broken into short sprints that combine aspects of all development phases. After each sprint, the stakeholders assess progress and set goals for the next. 

Lean Software Development

Lean Software Development attempts to reduce waste by eliminating activities that don’t provide direct value to the customer, including repeated work, ineffective communication, and some management activity.

DevOps

DevOps combines the roles of software development and IT operations with the goal of accelerating the software development lifecycle. It is closely related to both agile and iterative development and is facilitated by cloud technologies and continuous integration and deployment software.

Iterative Development

Iterative Development uses short, repeated cycles to move from a minimal software solution to a complete product. Agile is an iterative development process.

Spiral Development

Spiral Development combines elements of iterative software development and the Waterfall model, focusing on risk reduction.

V-Model Development

V-Model Development is a modification of the Waterfall method that adds testing to each phase of the software development lifecycle.

SDLC Best Practices: The 5 Phases of a Secure Software Development Life Cycle

For whichever software development methodology your organization implements, you’ll find a common structure between the various models. These five phases of a software development life cycle can be identified in each methodology:

  1. Planning – Start your secure software development by mapping out a timeline, requirements, and any preliminary details necessary.
  2. Analysis – The organization defines objectives, project goals, and the functions and operations of the application.
  3. Design – Detailed screen layouts, business rules, process diagrams, pseudocode, and other documentation is laid out. Development begins and secure code is written.
  4. Implementation – Testing and integration bring all the pieces together in an environment that checks for errors, bugs, vulnerabilities, gaps, and interoperability.
  5. Maintenance – Once your software is developed, maintaining updates, performance evaluations, and making any changes to the initial software are key maintenance procedures.

How Will Software Development Management Make You More Secure?

The process of developing and building secure software can help your development team understand common security pitfalls to avoid. In the complex world of software development, it’s easy to miss issues in your code when you aren’t implementing a detailed plan of action.

By using the right tools to aid in secure software development, you can cut down on costs, increase efficiency, and implement continuous testing to reduce risk. If information security is your priority, you need to ensure your software development life cycle is up to standards. To learn more about security testing and third-party penetration testing, contact KirkpatrickPrice today. Let’s make sure your security practices are working for you, not against you.

More Dev Compliance Resources

PCI Requirement 6.5 – Address Common Coding Vulnerabilities in Software-Development Processes

Compliance Is Never Enough: Secure Software Development

Think Like a Hacker: How Could Your Mobile Apps Be Compromised?

How Your Org Chart Can Reflect a Culture of Cybersecurity at Work

The Need for a Culture of Cybersecurity at Work

According to IBM Security’s 2019 Cost of a Data Breach report, “The average total cost of a data breach in the U.S. has grown from $3.54 million in 2006 to $8.19 million in 2019, a 130 percent increase over 14 years.” What does this mean for organizations looking to prevent data breaches and security incidents? It means that in order for organizations to adequately prepare to deal with today’s cyber risks, avoid costly fines and penalties for non-compliance, and give clients the peace of mind they deserve, their corporate structure should reinforce a culture of compliance – one that is strongly embedded into the organization, clearly visible in the company’s org chart, and focused on cybersecurity.

Cybersecurity is a Company-Wide Effort

Establishing a culture of cybersecurity at work is no longer just a best practice – it’s absolutely necessary. But for many organizations, initiatives that emphasize both cybersecurity and compliance haven’t been a major focal point for departments outside of IT. Because IT has traditionally been the sole bearer of cybersecurity and compliance initiatives, cybersecurity and compliance best practices are only seen as a small component of the business strategy instead of being a strategic initiative in itself. In order to make this happen, a culture of cybersecurity should be embedded into every aspect of your organization – even in your org chart. While it will depend on factors like your organization’s size, industry, budget, or personnel experience, there are typically three ways to emphasize cybersecurity through your org chart: top-down, bottom-up, and network. Whichever way you structure it, there needs to be clear lines of communication between personnel vertically and horizontally.

3 Ways an Org Chart Reinforces Cybersecurity

Top-Down Org Chart

Perhaps the most common org chart is the top-down structure; it starts with the Board of Directors and ends with entry- or low-level employees. In order to emphasize a culture of cybersecurity at work in this org chart model, the Board of Directors needs to set the tone for compliance initiatives. This means that in the company’s business strategy, cybersecurity and compliance will be strategic initiatives and not merely a responsibility that IT reports on. A basic rendering of a top-down org chart might look something like this:

Top-Down Org Chart

Bottom-Up Org Chart

Opposite to the top-down org chart model, bottom-up org charts are less common but empower lower-level employees to take part of the culture of cybersecurity at work. In these models, low-level employees often feel like they have a greater role in creating and maintaining a culture that focuses on cybersecurity and compliance because they understand that their day-to-day tasks play a key role in the company’s overall business strategy. This org chart also opens up more lines of communication between upper management and lower-level employees, as employees are likely to feel more empowered to identify and report on issues when they know that their bosses will listen to their concerns and make corrective actions when necessary. A bottom-up org chart typically looks like an inverted pyramid, like the following:

Network Org Chart

More and more businesses are relying on third-parties to supply information security services for their organization, especially those companies who don’t have the time, budget, or personnel resources to meet their growing cybersecurity needs. But when major components of the business are outsourced, maintaining a culture of cybersecurity and compliance becomes more difficult. By developing a network org chart, businesses can clearly see where they’ve outsourced components of the business, where they’re located, who is responsible for overseeing those vendors and their compliance efforts – all while showing where in-house departments are, who oversees them, and what tasks they’re responsible for. A network org chart might look something like this:

 

Regardless of the org chart model your business uses, ensuring that every employee knows who they need to be communicating with is essential, especially in regard to a culture of cybersecurity at work. If you’re looking to revise your company’s org chart, let’s chat so you can find out how KirkpatrickPrice can help!

More Cybersecurity Resources

How to Lead a Cybersecurity Initiative

Auditor Insights: Compliance from the Start

Fact or Fiction: Everything You Need to Know About Leading Compliance Initiatives

How to Build an IT Asset Management Plan

How you can best manage your data and assets in a time where information security threats are everywhere? What is asset management and where do you start with it? Let’s start with a basic definition. Asset management is properly defining and categorizing an organization’s assets. A well-developed asset management plan can help you make strategic moves to increase your organizational security. With any plan for IT asset management in place, you should have established processes for receiving and transferring assets, migrating virtual systems, detecting and responding to incidents, continuous monitoring, and applying patches and updates to address vulnerabilities.

How Can You Benefit from an IT Asset Management Plan?

NIST Special Publication 1800-5 on IT asset management explains the benefits of a thorough asset management plan in six parts:

  1. Proper asset management increases the ability for your organization to respond to security alerts quickly as the location, configuration, and owner of various devices can be accessed quickly.
  2. Your organization can turn its focus to the most valuable assets and therefore increase cybersecurity resilience.
  3. When you conduct an audit, auditors will have detailed information about your systems because of well-managed assets.
  4. It helps to better define your budget as you can determine which software license are actually utilized and which you pay for, but do not use.
  5. Your employees will be able to use your asset management plan to know what is installed and any alerts or errors that might come up, so that you can minimize help desk response times.
  6. Any patching that needs to be done on your software can be done correctly and reduce attack surfaces of devices with a well-developed IT asset management structure.

These benefits arise from a well-developed asset management plan that follows guidelines set up by publications such as NIST. When you face the difficulty of IT asset management, you might find yourself looking for guidance on how to responsibly track the status and configurations of your assets. That’s why we, at KirkpatrickPrice, have developed an outline of an asset management plan to get you started.

 

 

Risk-Based Approach to an Asset Management Plan

While your customized asset management plan will be tailored to your organization’s security needs, this tool can be helpful in giving you a path towards security compliance. Organizing and maintaining an asset inventory works as a foundation for a through information security program. You can organize your asset inventory in many different ways: individually, systematically, or through portfolios. Every organization will define their assets according to their needs, but it is recommended that the selection process be based upon risk. At what risk level is each asset? By classifying and analyzing assets according to what critical risk stage they’re in, you can help measure the effectiveness of your security strategies.

If you’re serious about implementing information security practices, you need to be mindful of the importance of proper asset management. Don’t let undetected vulnerabilities and mismanaged risks be the problems that plague your information security plan. Instead, use asset management tools and perform regular penetration testing to protect your valuable assets. Contact KirkpatrickPrice today to learn how we can help you achieve your information security goals!

More Resources

How Can Penetration Testing Protect Your Assets?

Why Bother With An Information Security Program?

What Should You Really Be Penetration Testing?