8 Practices Software Engineers Should Adopt and Champion for Cybersecurity

The Importance of Cybersecurity

I firmly believe that in today's cybersecurity expectations, software engineers should prioritize the security of their computer systems and internal IT networks. I would consider it to be a mistake to rely heavily on technology due to the simple fact that a lot of risks are non-technical in nature. The Internet can leave businesses vulnerable to data breaches and ransomware attacks that can cause lasting reputational damage. These non-technical risks can indeed be addressed using technical solutions.

These incidents can additionally result in significant financial losses and potential legal issues. In my opinion, implementing strong cybersecurity measures is not just a technical requirement but a critical initiative for any business looking to strengthen its defenses and resilience.

In this article, I would like to make a case that software engineers should stop looking at security as the responsibility of security engineers, but instead accept it as their responsibility. You do not need to be an engineering manager or a director to propose and implement best practices. Software engineers should use the power of persuasion, data, and showcase return on investment to gently nudge their organization in this direction.

Major Cybersecurity Incidents

Equifax Data Breach

This is probably the breach that people remember the most and probably one of the biggest security breaches that ever happened. In this breach, the Social Security numbers and credit card information of 144.5 million people were stolen. The breach occurred because a weakness in a web application framework was not fixed on time. This shows how important it is to update software promptly. 

WannaCry Ransomware Attack

This attack caused lasting damage, and thousands of computer networks were down. The UK’s National Health Service had to resort to paper and pen to run its facilities. This ransomware attack had a global impact on over 200,000 computers across 150 countries. It was caused by a Windows vulnerability that went unpatched. 

SolarWinds Cyberattack

The cyber-attack on the Solar Winds Orion platform was a comparatively rare type of supply chain attack. It involved hackers inserting viruses into the software updates. This breach impacted numerous US government agencies and private sector companies, highlighting vulnerabilities related to third-party software.

8 Cybersecurity Best Practices

1. Have a Data Classification Policy and Enforce It

No one understands the data better than the person who has to write the software to process and manage it. Software engineers have the responsibility to use the data as it was intended. Software engineers should be pushing for robust data classification policies and the enforcement mechanism. At the end of the day, if there is a misuse, software engineers will be held responsible, even if partially.

Data classification is about sorting data into different groups based on (a) how sensitive it is and (b) how much harm could be done if it gets seen by the wrong people. Such a classification, while simple, is effective since by having a plan for data classification: we can make sure that important information stays safe and is only seen by the people who should see it. It's also important to regularly check that we're following the rules and make changes to the groups when needed.

2. Have an Inventory of Data, Equipment, and Policies

A software engineer should be well-armed with an inventory of tools, information, and guidelines available to them to achieve security. They should be a proponent of such a culture and it makes their life eventually much easier.

Maintaining an up-to-date inventory of all data, equipment, and policies is critical in any effective cybersecurity management system. Such a list helps one to know which data are stored where and how they are protected. It also ensures hardware documentation, software installations, and vulnerability identification configurations.

3. Perform Regular Risk Assessments and Propose Improvements

One of the biggest tools in a software engineer's toolbox is a threat model. It involves a design diagram of all the software components involved, their interactions, and the entry-exit point of customer requests. Asking pointed questions amongst each other helps us assess the risks and avoid falling into the pit of unfounded assumptions.

Regular risk assessments enable you to identify threats or vulnerabilities in your development environment. These assessments must include internal and external factors, including employees and third-party vendors, and new cyber-attack trends. Based on the findings, you must propose improvements to strengthen the organization's security posture. 

4. Enforce Two-Factor Authentication (2FA) for All Login Attempts

Two-factor authentication provides additional security, as users must provide two types of identification to access accounts or systems. Therefore, even if login credentials get exposed, this would reduce the chance that unauthorized individuals can gain entry. Implementing 2FA across all platforms and applications is fundamental for securing sensitive data. 

While this sounds like an IT requirement, 2FA should be used to access all the critical software engineering platforms and portals. Would you like to log in to a jump host so you can access the cloud environments? Please make sure that 2FA is enabled for your workflow. If not, could you convince the person who manages the relevant infrastructure?

5. Have a Companywide Password Management System

The password management system provides a secure way to store and manage passwords, thereby fostering the development of robust and unique passwords for various accounts. It mitigates the risks of breaches occasioned by passwords and simplifies personal login credentials management. 

There can be many external systems without a single sign-on where we need to create another set of credentials, some of which can be shared with the team. Password managers are the best method for sharing these passwords or secrets among the engineers and the rest of the employees — no more sending secrets by email or chat messages.

6. Security Awareness Training and Phishing Tests

Training employees on cyber security threats and best practices is essential in creating a security-conscious culture. Security awareness training should regularly cover areas such as recognizing phishing emails, safe internet usage, and proper data handling procedures. Phishing tests can occasionally be conducted to determine whether employees can notice or report suspicious incidents.

This is even more important as a software engineer if you work on internal tools, which usually provide more expansive permissions. Talk to your security team or IT department about security awareness training. 

7. Encrypt All Internal and External Communications

Encryption ensures that sensitive information sent within and outside the organization remains confidential and secure. Robust encryption protocols should be deployed on all communication channels, including email systems, messaging apps, and file transfers. Thus, unauthorized access to information is prevented even if it has been intercepted during transmission.

AES-256 is a great encryption algorithm for data at rest. For data in transit, its better to use the defaults of any TLS library you use for communication. They usually default to AES-256, but choosing default ensures we are not trying out any lesser-known, less-investigated encryption algorithm. Even peer-to-peer machine communication should ideally use encryption. Using plaintext for communication between endpoints in a private network is possible, but it requires much experience locking it down.

8. Have an Incident Response Plan

The formulated incident response plan is instrumental in guiding an entity’s actions during a cyber threat, such as data compromise or ransomware infiltration. It encompasses preventive measures, responsive protocols, recovery strategies, and communication procedures. This plan's regular rehearsal and ongoing refinement ensure an organization's preparedness for potential security contingencies.

Most of the time, software engineers will be involved during the incident, and they will take a lion's share of responsibility for mitigation. Having such a plan ensures that you, as a software engineer, know your role and responsibility. 

Summary

In conclusion, while these practices look simple at first glance, software engineers must remember their importance. Sometimes, a good solution is the simplest. Having complicated policies that are open to interpretation invites confusion, which is what malicious actors are looking for. It works even better when the practices are woven into the organization's culture.