Web Entrepreneurs: How can good cyber security make your cloud web app more valuable?

Features? Release dates? Development costs? Cyber security? It’s not a choice.

With modern cloud development, entrepreneurs can quickly launch and scale new, exciting apps into the wild, hoping to attract customers, investors and rapid growth - perhaps ultimately even an exit that makes their fortune. And good luck to all of them – I wish I were one!

In the excitement of seeing their idea appear and figuring out everything from what features it needs next, to how to market and sell it, how many actually consider putting cyber security at the heart of their development process? How many consider cyber security at all? How many believe that security comes from developing in the cloud and that they don’t have to worry? I won’t even go into WHY you should consider cyber security – that’s more than covered by the daily headlines in the press of data leaks and ransomware attacks.

Security is YOUR responsibility.

In our experience, security is often something that is begrudged as taking time and budget from development and customer experience. And if you believe your security comes from your cloud platform, I recommend that you read the ‘shared responsibility’ model that all the cloud providers use to limit their liability from security exposure. The scale of modern cloud platforms means that they can invest far more than any single developer in building the best security features into their platform - although it’s a shame that many of them are turned off by default. But the providers are only happy to take responsibility for security OF their cloud platform - you are clearly responsible for security of your applications and data IN the cloud – including secure backup.

Lack of cyber security can affect your wealth!

The lack of a good cyber security – one that protects your code as well as your customer’s data - can limit, or at least delay your growth and your chances of investment. In the B2B space especially, a well-informed customer will rightly have concerns about committing their critical data assets to your care. They may well question your security processes and practices. If you don’t have robust security policies of your own, they may insist on you following theirs – meaning that you have to react to a whole mix of disparate requirements from a range of customers. Or possibly worse, they may refuse to work with you entirely.

Today’s investors are much more security conscious and your approach to security and secure development will be a major consideration of the due diligence process. Investors are generally investing for growth and a rapid return on their investment. They are not interested in investing their money for you to do basic housekeeping and implement security policies and technology that should already exist.

Build on a foundation of security.

So, if you’re one of the many new entrepreneurs, what can you do? How do you start? What can you do if you didn’t think about cyber security before you released your application on the world?

• Do something now: don’t push cyber security to the back of the drawer and hope the criminals don’t come. You might never be actively targeted but there are now just too many automated malware and phishing bots sending out billions of attacks that it’s only a matter of time before you are affected. Don’t let your customers down by letting their data be held to ransom.

• Use a framework: There are several development frameworks that will give you a basis for secure development. We really like the OWASP (Open Web Application Security Project) Security Knowledge framework and OWASP provides a huge amount of useful guidance, expertise and training in developing for security. NIST (National Institute of Standards and Technology) introduced the secure software development framework (SSDF) and also have a wealth of recommendations for implementing security standards.
  
  OWASP Security Knowledge Framework
  OWASP Application Verification Security Standard
  NIST Secure Software Development Framework

• Appoint a security champion: preferably a respected member of your development team to lead the way in secure development of secure code. Have them be a second pair of eyes on all matters of security from policies and library usage to code repositories and management.

• Book a Penetration Test: a pen-test and vulnerability scan are the quickest and cheapest ways of establishing a baseline for your current security position and for prioritising what you need to improve. Don’t try to limit testing to avoid ending up with a long list of unexpected vulnerabilities – at least you can properly prioritise.

• Implement continuous security testing: with agile development and rapid release cycles, you need more than just the occasional pen-test. Implement quick checks that developers and run on any code they’ve worked on. Set up regular, if not weekly full-coverage scanning to look deeper for vulnerabilities that have developed in your code – especially if you’re using 3rd party libraries that may come with their own security issues. In fact controlling the libraries you use is core to secure development.

• Control your privileges: developers often do everything from their highly privileged accounts. If these are compromised then attackers can quickly gain unlimited access to your environment and all your code and customer data. Make sure everyone has a low-priv account for day-to-day work and only uses hi-priv accounts when needed.

• Implement security standards: implementing a security standard, such as ISO 27001, gives you a good baseline for demonstrating your security credentials – a must for due-diligence processes. Cyber Essentials PLUS is a minimum certification that gets all your team – management and developers – thinking about cyber security standards.

• Implement cyber-secure air-gap backup: if nothing else, the ability to recover in the event of an attack or even a simple human-error mistake will give you time to address some of the other preventative issues. Remember that modern ransomware will find and encrypt your backups if it possibly can, so cyber-secure backups are a must.

Conclusion.

In our experience, too many applications developers leave cyber security as an unappreciated after-thought. Ultimately, they and their customers will pay the price, either of a significant security breach, or simply due to the lack of security limiting investments or delaying due diligence.

Don’t bury it. Don’t think features and release dates at all costs. Build in security from the beginning and implement secure development practices. Take action now and start getting your cyber security sorted today. Features? Release dates? Development costs? Cyber security? It’s not a choice.

Help and advice.

For help and advice on application and cloud security, call us today.

‍