“Every business is a software business”, as Watts S Humphrey said two decades ago.
It is surprising that a 20-year old idea is truly gaining traction across organisations from all industries. From banks to logistics companies, in-house or outsourced developer teams are building unique software solutions that meet the exact needs of an enterprise’s digital transformation.
In the past few years, we have observed many organisations seeing this as a potential business opportunity. For example, if a bank builds a sophisticated business application, it might consider monetising its innovative solution by selling it to another bank – after all, banks have similar processes or are addressing similar transformations.
This presents non-tech businesses with new revenue potential where they build targeted solutions that provide benefit beyond their own needs. However, organisations shouldn’t be so quick to repurpose their newly built solution as there are serious security risks that should be considered.
New layers of complexity
Traditional industries are increasingly turning to outsourced solutions for their software development, and these developer teams are usually working remotely and are hired on a freelance basis.
Many businesses find themselves operating in an environment where they no longer have their workforce under the same roof, with in-house and external developer teams scattered across the city, or even the globe. As this rapid shift to working remote takes place it is likely to become a long-term trend and the “new normal”.
With this added complexity and the opportunity to benefit from cheaper software development in other countries, how does an organisation even begin to govern and secure its software supply chain, which is by nature, open by design? First, it needs to understand the potential vulnerabilities at every stage of the software development life cycle.
Ensuring strong software security assurance at every stage
It begins with something as simple as access to the network. Remote working and remote network access come with security risks. It is crucial for companies to communicate and ensure that the network used by employees is adequately secured.
This means isolating developers in a separate subnet or a separate network. Even when on-site, every new employee’s identity must be manged centrally and regularly monitored to ensure access to credentials is always in line with the responsibilities of the developer.
It is an extreme cautionary tale, but there have been instances of network abuse as a result of compromised network access. Imagine this scenario: a stellar employee, who was reporting to the office at 7am and leaving after 8pm, with the role of managing and administrating business applications on a cloud provider’s platform.
It was later discovered that every day the individual was switching off the business application in the evening and using the cloud platform to mine bitcoin overnight. Next morning, he would come and switch on business applications without anyone suspecting a thing.
You can imagine how much this abuse of company resources would cost the organization in this made up scenario. The lifecycle and governance of identity has a bigger place in enterprise as remote working becomes the new normal globally.
Next step is to ensure that the workstation provisioned or being used by an employee is regularly scanned and patched. We have seen many cases of ransomware breaches on unpatched operating systems that can hijack the environment.
The same goes for the tools and software that employees use to develop business applications. Employers should ensure that any new programmes installed are in line with internal compliance and security protocols, such as multi-factor-authentication or one-time-passwords that are used to ensure authenticity before software is installed.
Keeping a catalogue of all software and tools running on every workstation – virtual or physical – will quickly help enterprises assess the impact of new vulnerabilities and the effort required to mitigate risk.
Once a developer starts writing a code, the organisation needs to ensure that it is regularly scanned and that vulnerabilities are reported to the security team immediately and remediated in a timely manner and with the proper change controls in place. This ensures that the code and the business application have security built-in by design.
The developer might choose to access a code repository and save the work there. At this stage, organisations need to ensure that the repository is monitored and any unusual behaviour, such as excessive copying and downloading of files, is detected immediately.
After all, software like this is intellectual property and even at the development stage, valuable to competitors. The same visibility would be needed to detect any intentional injections of malware into code repositories.
After the application is developed and an employee or freelancer is ready to pass the code to the next stage of the software supply chain, the organisation still needs to make sure quality controls and change release processes are followed.
Security from the get-go
In the current work-from-home environment, organisations that continue to innovate must ensure that security continues to be their top priority. The ability to showcase that business applications and solutions were built in a secure environment will not only ensure compliance, but also help in instances where in-house built software is sold to another organisation.
To do this, it is important to equip teams with the right security assurance tools at the various stages of the supply chain. These tools help to introduce security at the very beginning of application development so that it is integrated from day one and part of the software development lifecycle.
The truth is that today, businesses are under tremendous pressure to digitise fast in order to compete more effectively. This causes security to often become a tick-box. However, it is not too late to evaluate current risks related to remote working and make strategic adjustments to how security is implemented and managed.
Just like a household that wants to monetise a spare room and rent it out for a holiday stay, or a car owner who wants to earn some cash by providing rides or delivering food – the monetisation of software is a real disrupter that will see success based on its security assurance across the complete supply chain.
