Chapter 4. Security and Requirements

The best place to start introducing security into the systems development process is in the requirements gathering stage. While we’ve been referring to software development so far, it’s really systems development because when it comes to web applications or even backends to mobile applications, we aren’t talking about a single software package any longer. We are talking about multiple components that are installed either on virtual machines or in virtual containers. This effectively makes it systems development, even if the purpose of the full system is to deploy and provide access to applications.

When approaching systems development security, it’s really easy to panic and be afraid of everything. The best approach is not to try to address every problem that may potentially arise, particularly if it’s very unlikely for that situation to happen. The best approach is to follow good practices in hardening deployments and secure programming, but also to think rationally about threats that may remain. Even following the best hardening and secure programming practices will leave an exposure to attack simply because there will always be ways for an attacker to get in. The moment there is a program running, that program can be misused. For this reason, some technology providers, such as Microsoft, espouse the principle of “assume breach,” where you’re operating under a tacit assumption that there has already been a breach, and your job is to find ...