When you think about all the software you use in your daily work or even in your private life, you will soon realize how complex a system it actually is. This complexity inevitably brings in potential security issues and vulnerabilities, and while there is never only one weak link in the chain, it is often the job of the software engineering team to make sure that both the software and hardware used remains safe.

In this article, I take a closer look at how software development affects the security of organizational resources in today's landscape. Modern approaches have changed the ways we think about our security posture, as things such as the increased popularity of remote work have moved the goalposts from securing assets within a physical location to securing data and assets globally with the potential of them being accessed from anywhere at any time.

Zero Trust and Rethinking Boundaries

While in the past organizations approached their network security with the mentality of "if it's in, it's secure," this has proven to be a faulty notion. While applying things like network access controls can definitely help mitigate potential issues on-premises, this regardless raises one question: why inherently trust anything in the first place? This is where the concept of zero trust comes in.

With zero trust, we treat every entity, user, and device alike as potentially untrusted until we can verify the entity and grant them any scope of access. This approach is especially beneficial when considering the modern way of working, where accessing resources remotely is gaining extra momentum day by day. The potential attack vectors opened by allowing remote users and remote devices to access organizations' networks must be mitigated to the best of our abilities, and zero trust is an imperative building block of such a paradigm.

However, zero trust is not just a matter of network security; it blends in with software engineering as well, as organizations need to make sure that their software supports zero trust approaches from the get-go. In many cases, this can require a total mindset shift as well as a reconfiguration or even a rebuild of the systems used within the organization, making sure that secure by design is a core value of the whole development process.

Access Management with IAM and PAM

Nowadays, we no longer expect any piece of software to be a self-contained, simple application but rather a part of a way more complex suite of software. With the increasing demand for access and applications to venture outside of a singular computer and user space, we need to take good care to make sure that all systems stay as secure as possible.

Consider a note-taking application from ages ago: you had a little text box you wrote things into and then saved the text file. Today, we want to be able to share these files with our colleagues using cloud services like Google Drive or Microsoft OneDrive; we want to be able to access our notes on mobile devices; and we want increased storage redundancy by using network file shares. All these required features demand that the software engineers focus not only on the actual feature set but also on making it tamper-proof with relevant access management controls.

Identity and Access Management (IAM) handles access to resources such as devices, applications, and network files. This supervision takes place on an individual user level. Privileged Access Management (PAM) grants privileged users the ability to make changes to these networks, devices, or applications. These are great tools for verifying, limiting, and restricting access, but they need to be built into software for us to make the most of their capabilities.

Chaos Engineering and Resiliency

While chaos engineering, or intentionally injected failure testing for system resilience, is often looked at more with the eyes of site reliability, it is good to note that all of these aspects come down to software development. When the failure is injected into the system, be it on a hardware or software level, the onus is on the software to make sure the correct failure management procedures are followed.

Traditional testing, be it towards functionality or security, is, of course, necessary during software development. However, it is chaos engineering that is used to throw the proverbial wrench into the system to really ascertain that everything doesn't break down when something unexpected happens. The main goal of this sort of testing is to find gaps in the failure process, which might lead to undesired outcomes. A piece of software or a system crashing or locking up might not in and of itself cause a major problem, but the potential for fallout in a complex chain of systems could end up doing that.

Factors like resource exhaustion, data leakage, and faulty error handling caused by a part of the system failing are concerns that need to be addressed by the software engineering team, making sure that when the unexpected happens, it will not cause a breach within the network or devices connected to it. This all ties together with the resilience of the system, but at the end of the day, it is the software engineering team that has the responsibility to make it all work well together.

Endnote

Organizational security is not just the task of one single department but rather a collaborative effort between everyone. Software development is something that touches all aspects of the system, from desktop applications to even hardware-level implementations, so adopting a security mindset throughout the software development life cycle is imperative for maintaining a strong security posture of the organization.

Security is a very complex and nuanced matter, and there is no universal solution to achieve a decent level of it. The factors outlined above play a crucial role in modern software engineering from a security perspective, and can shed some light on the ever-increasing complexity of the software and hardware systems within our organizations, along with highlighting the importance of a well-planned approach to make sure that the organization, its assets, and users stay safe for the long run.