15 Expert Tips For Building Security Into Tech Products From The Ground Up
Security is a top priority for any tech product, especially in today’s virtual-first world. With consumers using tech for more and more applications and so many professionals working from home and utilizing digital spaces, people and organizations are at higher risk than ever for cyberattacks. That’s why it’s crucial for tech leaders to prioritize security when creating products.
Below, a panel of Forbes Technology Council members shares advice for tech leaders trying to build security into their products from the ground up. Follow these 15 tips to make your company’s offerings more secure before they even hit the market.
1. Prioritize awareness of the business impact.
When it comes to security, we tend to spend a lot of time focusing on the technology and not a lot of time around understanding the business-related reasons the technology is used. Prioritizing that awareness should play a larger role in security strategy from the outset. - Charles Aunger, Health2047 - American Medical Association
2. Involve experts at all stages of development.
While the temptation is strong to immediately begin to discuss technical solutions and approaches, the best piece of advice for building security into products is to have expert security resources involved at all stages of the product development, including the earliest stages of draft design and prototyping. - Nolan Garrett, Intrinium
3. Build from established standards.
Security is a game of perspective. You can’t see the outside of your house from the living room, so expand your view. Adopt a security-first mentality and build your security requirements from standards, such as NIST. Understanding the level of controls needed to secure your products will allow you to build requirements up front. - Sean McDermott, Windward Consulting Group
4. Don’t make assumptions about end-users.
Never assume a user will never do something they obviously shouldn’t—because they will. There will always be outliers, and you need to design applications that handle those exceptions securely. - Saryu Nayyar, Gurucul
5. Don’t assume you’re not a target.
Cyberthreats should be a concern for every organization, but ignorance, overconfidence and underestimation of value need to be addressed first. Security professionals and other team members tend to underestimate themselves in the eyes of an adversary—specifically, the worth of their brand, the information they manage and their intellectual property. Address those misconceptions and overconfidence first. - Stephen Moore, Exabeam
6. Map your data flow.
It’s critically important to know where your data flows—who has access to it and where it’s stored—and to answer critical questions like these in order to know where the biggest vulnerabilities are in your system. Then you can turn around and address each of these points by prioritizing the vulnerabilities that are the biggest risks. - Marc Fischer, Dogtown Media LLC
7. Decrease the attack surface as far as possible.
Every possible user input interface that your product has is a possible attack vector. The best way to de-risk your product is to decrease this surface area as much as possible by having sensible defaults, reducing the complexity of configuration and, sometimes, even removing unnecessary user input primitives. - Sanket Saurav, DeepSource
8. Test security during development.
Test the security of the code during development, not after the fact. Build a development infrastructure that provides continuous testing to deliver feedback to coders before it is too late and the code is ready for release. - Juliette Rizkallah, SailPoint
9. Think like the criminal you’re trying to stop.
Try to get into the hacker’s mindset. Think about what they would do to get around your system, and then solve that issue. We have an in-house hacker who knows all of our tricks and constantly works to get around our system. Once he does, we get together as a group to solve that issue. Stay inside the hacker’s mind—it will keep them out of your system. - Richard Kahn, Anura Solutions, LLC
10. Include in-app protections.
Tech leaders can avoid security incidents involving mobile devices or apps by working closely with developers to implement security technologies from the very start of the development process. For example, in-app protections such as mobile application shielding can be integrated into the source code to detect and prevent malicious code from running—even if the mobile device itself is compromised. - Will LaSala, OneSpan
11. Learn about built-in security capabilities.
Some teams make the mistake of building their own security functionality. Instead, I’d take time to learn about security capabilities built into the development framework and cloud platform. Vendors have spent billions to provide ready-to-use security functionality that implements best practices. Development teams will build more secure products and ship faster by leveraging those capabilities. - Dave Todaro, Ascendle
12. Maintain a security dashboard from the beginning.
“Security by design”—whether for software or broader products that have connected apps, backing systems or data—only works when considered at inception and consistently throughout the product development cycle. Whether your development team uses scrum/agile or waterfall methodologies, you must drive security requirements early and maintain a dashboard of what is important. - Aaron Pritz, Reveal Risk
13. Empower your team.
My advice is to think about what true security culture means and empower people to be cybersecurity assets. That will help team members make decisions and consider risks in the context of their jobs, whether they’re in product development, coding, design or something else. Then they can involve security and privacy teams early to build products with security in mind from the start instead of as an afterthought. - Ashley Rose, Living Security
14. Bring in real-time third-party analysts.
Leverage a third-party solution that performs static code analysis in real time, as the code is being written, so that security vulnerabilities are identified and addressed early in the software development lifecycle. - Mark Schlesinger, Broadridge Financial Solutions
15. Make your users allies.
Users are often viewed as the weakest link in security, but with thoughtful product design, they can be your greatest allies. The key is to accept user behavior around issues such as password reuse. Bake in ways to engage users in helping to secure their accounts via tools such as suspicious login alerts that respond to real-time deviations in user behavior. - Ari Jacoby, Deduce