Securing developments in the cloud begins with being aware of the risks

When most of us think of software we tend to think of applications available to download or software-as-a-service (SaaS) offerings from major players like Microsoft and Google. But while these companies develop software running on millions of computers, neither they nor the giants of enterprise software represent the majority of code out there.

The software industry is massive, with over 26 million working software developers worldwide, and the majority of them are working on custom applications that are developed for internal purposes.

This is no surprise. Countless surveys have found businesses prefer to use custom software tailored to their needs rather than fit their processes around generic applications. Market research conducted by Grand View Research found that the custom software market was worth $29.29 billion (approx. €27 billion) in 2022, and was expected to expand at a compound annual growth rate (CAGR) of 22.4 per cent from 2023 to 2030.

Given the wealth of software out there, the question does arise: is it secure? The answer is a resounding maybe.

James McElhinney, security, risk and compliance officer at developer TEKenable, said that application security cannot be an afterthought. Instead, it is something that must be designed into software, from the get go.

“As an organisation, we are ISO 27001-certified, with a mature ISMS [Information Security Management System], and part of maintaining that is a process of continual improvement and ongoing risk assessment,” he said.

Part of achieving this is to engage with users to ensure they are aware of the risks as users are often the weak link in the chain. However, in order to get certified, TEKenable had to go much further, taking a 360-degree view of their SDLC [Software Development Life Cycle] from initial design to where and how it is deployed, starting with governance mitigations and running through to continual checking of code, and state of the art technical controls.

“If we take on a job to develop software then that extends out into our clients. I attend key projects and customer meetings,” he said.

Risk is never going to be zero. that’s just the world we live in, but we want to reduce it right down

TEKenable’s custom applications go through exactly the same testing processes as off-the-shelf software. Indeed, the testing is actually more stringent.

“You need a very close look first at the requirements and design: what is it doing, where and what is it storing, what is its purpose, what is each and every function in fact, and what are the risks? What vulnerabilities can arise from that? Who will have access? All-in-all, it goes through a very strict risk based SDLC, particularly if it is built from scratch,” said McElhinney.

“Then there are technical controls: to start with, we have automated code scanning in our IDEs [integrated development environments] giving automated feedback, something that is now enhanced with AI [artificial intelligence]. Code then has to be signed off by a senior developer, and Dynamic Application Security Testing [DAST]” he said.

Today, most applications are developed for deployment on cloud platforms such as Azure. This does not lessen the need for security by design, McElhinney said, but it does offer some extra protection.

Firstly, cloud users are standing on the shoulders of giants such as Microsoft, Amazon and other platform providers and although this does not absolve users of responsibility for security, it does give them a solid foundation – something that cannot be said for many on-premise systems.

Cloud also allows for continuous updates, so security patches do not need to be manually rolled-out.

Nevertheless, code deployed in the cloud is still running on a computer. As a result, before finally pressing the button to go live, TEKenable performs another series of tests, including re-checking it by hand as well as vulnerability scanning and cross-referencing any dependencies.

“You get to the end, having performed all these tests, including at the QA [quality assurance] stage, where it is critical to test again and verify the right processes and controls are in place and produce evidence that you have modelled every way you can conceive it as being attacked,” he said.

Risk cannot be eliminated but the goal is to reduce it to the minimum and then continue to assess and reduce as time goes on.

“It's never going to be zero. that's just the world we live in, but we want to reduce it right down,” McElhinney said.