Earlier this year, eleven global organizations, like the Australian Government and the National Security Agency in the US, joined forces to develop a software security handbook in partnership with CISA. If this doesn’t tell you enough about the urgency of security in software development, what does?
According to Gartner's estimates, by 2027, half of the large enterprise CISOs will have embraced human-centric security design practices. However, waiting until 2027 may prove to be four years too late. The escalating frequency and cost of cyber-attacks, which are spreading rapidly, highlight the urgent need for every company to establish a security posture to withstand the current threats. Failing to do so can result in severe financial repercussions and jeopardize the survival of businesses.
Introducing the concept of the Minimum Viable Secure Product (MVSP), a strategy focused on developing a product with essential security features to safeguard its data and resources. This article delves into the advantages of MVSP and the hurdles faced while constructing one and offers practical tips to overcome them.
You might be familiar with a Minimum Viable Product (MVP) - a product with essential features to test the market. Similarly, the Minimum Viable Secure Product incorporates fundamental security measures to safeguard infrastructure and data and comply with regulations.
In 2021, Google introduced its own MVSP checklist, setting a foundational security standard for developers. This ensures that the ecosystem's products, codes, and libraries adhere to essential security practices. The checklist is a reliable starting point for developers, even without extensive security expertise. Minimum Viable Security entails beginning with simple security measures and gradually enhancing complexity, just as one would approach any other product feature.
While Google's MVSP checklist may not be a perfect fit for every product, it offers a generalized approach that suits most B2B software. The checklist comprises four essential security controls:
Items include annual security testing for your product, compliance with relevant security standards such as ISO27001 and SSAE 18, and essential data protection such as the GDPR, PII and HIPAA protection, and NIST SP 800-88. Although the list may primarily focus on the US audience of software producers, the underlying principles apply regardless of your business's location or client base.
This list of rules applies to the design stage of your application. It includes patching any known issues with a severity of medium or higher, keeping meticulous logs, protecting sensitive data in transit and rest using encryption, having a password policy in place and striving to apply a single sign-on, and using HTTPS to access your application.
This list pertains to the ongoing life of the application, addressing considerations for each sprint. It encompasses tasks like maintaining an up-to-date data flow diagram, prioritizing the resolution of application vulnerabilities within 90 days, ensuring a fully scripted build with a generated provenance (SLSA level 1), and proactively addressing well-known application vulnerabilities to prevent potential exploits. Adhering to these practices will help ensure your application's continuous security and robustness throughout its development lifecycle.
These controls focus on IT and operational security concerns for your application. They include all the basics of Cloud Identity Management, such as securing physical and logical access to your servers (or any other vital facilities), being transparent about third-party contractors using your data/API, and having a clear backup and recovery plan in case of disaster.
Comprehensive SDLC (Software Development Life Cycle) security is crucial in today's threat environment. Like seeking a security expert's audit after completing your app or conducting penetration testing without considering security from the outset, neglecting security until your software is operational would be akin to closing the barn doors after the horses have escaped.
The CISA guide and the NIST 800-218 (SSDF) that preceded it make security one of the (if not THE) primary considerations when planning and building your app. Security transparency also helps build customer trust, which has been wearing thin lately with each company hiding information or misleading the public about significant security breaches they have suffered.
If the information we've shared has piqued your interest and you are contemplating adopting an MVSP framework for your application's development, that's fantastic! However, before you proceed, it's essential to be aware of potential challenges and how to address them:
To effectively implement a Minimum Viable Secure Product (MVSP), it is crucial to possess a basic understanding of the potential security pitfalls, attack surfaces, and security gaps that may exist within your application. Additionally, you must be able to assess the potential risks associated with each vulnerability and prioritize their resolution accordingly.
If you find yourself unsure of where to begin or lack a security expert on your team, seeking the assistance of a security specialist can be highly advantageous. They can help you categorize and address potential issues and fixes. While many security resources are available online, consulting with an expert during this critical stage is prudent rather than adopting an "it'll be fine" approach. Collaborating with a professional will enhance the security of your product and reduce the risk of overlooking important security considerations.
Balancing the urge to launch your product early to gain a competitive edge with the importance of security is critical. Rushing the development process can lead to severe issues, including costly refactoring and delays. By prioritizing safety from the outset, you can avoid misconfigurations that may expose vulnerabilities and potential security breaches down the line. Proper security measures ensure a more robust and secure product, safeguarding your market share and reputation in the long run.
To strike a balance between speed and security, consider adopting the approach of MVS plans-as-code. Incorporate the desired security features based on pre-made plans into your regular R&D sprints. Building security into your product from day zero enables faster feature sprints and adaptability. Jit's pre-made MVS for AppSec plan utilizes various security tools to streamline and expedite security implementation for your R&D team. This way, you can maintain a competitive edge while ensuring a secure and efficient product development process.
Setting up and integrating security tools into your development pipelines is a significant and ongoing task. The constant emergence of new threats requires regular reviews of your toolchain.
To optimize time and effort, the goal is to automate as much security work as possible by using code and managing it centrally within a framework with built-in security capabilities.
With Jit, you can achieve this streamlined approach. Jit combines a comprehensive array of security tools like KICS, Prowler, and npm-audit into a single platform, allowing you to work with them seamlessly using code within your GitHub development environment. Additionally, Jit offers risk prioritization, enriched findings, and real-time suggestions for remediations, empowering you to manage security tasks and bolster your application's protection efficiently.
Comprehensive logging is a crucial aspect of the MVSP. However, using multiple tools can lead to overwhelming scattered information, making it challenging to identify meaningful and actionable insights.
Jit solves this problem by consolidating all the tool's logs into a single location, simplifying navigation and comprehension. This centralized approach ensures that your records and provenance meet the requirements for various regulations. By establishing robust logging practices early on with Jit's assistance, you can effectively manage and access essential data, benefiting your product's security and regulatory compliance in the long run.
After implementing the security features as per your plan, assessing their effectiveness is essential. Traditional testing is crucial, including unit and security tests on specific features. However, to ensure continuous security validation, it's beneficial to incorporate security testing into your build pipeline. This way, every build, and new version undergoes security testing automatically.
Tools like Semgrep or Bandit, which Jit seamlessly integrates with, are valuable for running scanning tests. These tools help uncover vulnerabilities within your code before it reaches production. Using such solutions gives you a comprehensive and detailed insight into your code's health, going beyond the tests you can write and run manually. This approach enhances your ability to identify and address potential security issues, bolstering the overall security posture of your application.
Like the continuous nature of integration and delivery, security should also be an ongoing process. Continuous Security Monitoring (CSM) is a proactive approach that empowers organizations to detect and resolve security issues before they lead to any harm. By seamlessly integrating security tools and tests into their CI/CD pipeline, CSM enables swift and preemptive actions against potential threats.
The implementation of CSM can be simple. DevSecOps tools like Jit provide a user-friendly platform to integrate with diverse security tools and automate the monitoring process. This ensures complete visibility into each stage of the pipeline and offers detailed findings if any vulnerabilities are identified in real-time. With DevSecOps tools like Jit, organizations can maintain a vigilant and secure development process, safeguarding their applications and data from potential risks.
Many developers have a basic understanding of security issues but are far from security experts. The last thing you want is for a critical vulnerability to go unnoticed until your product reaches production.
To avoid such pitfalls, take a systematic and careful approach. Feel free to seek help from security experts when needed. Create a gradual implementation plan that builds on each step, ensuring a solid foundation. This slow and steady approach helps prevent burnout and allows developers to learn valuable security lessons.
By being cautious and methodical, you can enhance the security of your product and avoid potential risks that might have otherwise been overlooked. Prioritizing security throughout the development process and cultivating a security-aware culture within your team is essential. You can create a more robust and secure product for your users with the right approach and mindset.
At this point, you might be saying: “But I want more than the minimum! Why should I put in all this work to get the minimum result?”. However, starting with a Minimum Viable Secure Product (MVSP) is a practical and essential step. If you lack the resources or expertise for a comprehensive security audit and plan, a minimum plan still offers valuable protection.
Moreover, adopting the MVSP methodology lays the groundwork for enhancing security measures. It serves as a stepping stone for implementing more robust security checkups, testing, and features in the future. The critical components of the MVSP approach involve crafting a plan and executing it efficiently with the available resources and tools.
Jit can be your ally in building your MVS. It facilitates seamless integration with essential security tools, enabling efficient management and consolidation of their findings in a centralized location. By embracing the MVSP and utilizing Jit's capabilities, you establish a solid foundation for bolstering your product's security over time, contributing to a more robust and secure application. Get started for free.