Cybersecurity in software architecture (Interview to Ignacio Íñigo)

Today more and more companies need to develop their software, either because it is part of the products they offer or simply because they require custom development to improve their administrative processes.

Now, when we decide to develop software we keep in mind that we might be handeling a large amount of data that can be susceptible to attacks and that we must take care of from the beginning of development.

In this way, when software is modeled, it should not be, done from the point of view of functionalities. All security needs must be taken into account and this must be foreseen and included in the early stages of the project life cycle.

According to our cybersecurity specialist, Ignacio Íñigo: “Just as in use case modelling we have test cases, in threat modelling,  a case of attack or specific threat can be tested, anticipating this type of situations and therefore making our software more secure against them”. It also explains that from a budgetary point of view it is very important to consider security from the early stages of development, since it is easier and more feasible to work on possible threats, than to have to redo the code to correct these failures later.

Types of tests that can determine the security of the software

There are two types of tests, traditional code tests, and penetration tests. It is very important to have both of them, since they allow us to make sure that our software does exclusively what it was created for, and does not have unexpected behavior.

As for traditional software tests, they are divided into two categories that we will explain below:

Static or code analysis tests: these are tests in which a review of the code itself is carried out, either manually or automatically where errors or bad practices, unsafe functions or outdated software packages and libraries, among other variables.

Dynamic tests: these are tests that are performed directly on a runtime environment. This type of dynamic tests can be synthetic, in which transactions are carried out imitating what a user would do and evaluating the behavior of the system under normal circumstances; or we can do fuzzing, in which a series of invalid input, normally randomly generated, is sent to the system in an attempt to break it  and get some kind of malfunction.

Additionally, Ignacio comments that interface or API testing can also be done to test the communication between the different components of a certain application Also, there is tests graphical user interface testing, and even, in applications that manipulate machinery, logic controllers, phisical sensors etc, physical interface testing is also carried out.

It is also important to evaluate testing through a test coverage analysis, with which it is possible to evaluate what percentage of the total functionality of an application is being covered with the tests. This way you can have a more precise idea of ​​the effectiveness of the tests.

Once we have already developed a large part of our system or application, the correct thing to do is to perform pentest or penetration tests and these must be carried out by an external team. This type of test is normally divided into 5 phases that involve recognition followed by a scanning phase, and an analysis of vulnerabilities, to move to a phase of exploitation of those vulnerabilities, and finally, issue a report that is delivered to the client to notify vulnerabilities found in the system.

According to Ignacio, there are many types of tools to run the penetration testing. We have network scanners, network vulnerability scanners and web vulnerability scanners.

On the other hand, Ignacio explains that in short, specific distributions such as Kali Linux include many tools that you can use including not only the aforementioned scanners but also that can help you perform brute force attacks or to automate other tasks for the exploitation phase.

In addition, he explains that there are non-profit organizations such as OWASP that manages an open-source project dedicated to determining and combating the causes that make software unsafe, that are a “good free source” to obtain tools and information in general for web security for all companies and enterprises.

How can we manage change in the right way?

It is normal for a company to have to leave behind some systems that have become obsolete or that simply no longer adapt to the requirements of an organization. But when these system changes must be implemented it is important to make sure that we make backups so do not lose any vital information for the company in case anything goes wrong.

Ignacio assures that these types of processes are very important if a failure occurs during the implementation of a change. We can always return to the previous safe as little as possible the operation of the company.

The same happens in software development. It is advisable to back up your system before uploading any changes to production since if any functionality problem occurs, we can always roll back to a previous state without losing information or affecting other integrations.

As we can see, from the point of view of software development, the topic of cybersecurity is very broad and is present every step of the way, to make sure that our company information is safe and also to protect our clients’ privacy, It is very important to take these recommendations into account and work on security from the beginning, detecting vulnerabilities soon and fixing them to provide robust systems.