How skipping secured architecture & design impact your Security Posture

As we all know, success starts from good planning, and failure is caused by weak planning.

The same thing applies to your security posture, as soon you start good planning of your security, your system will be more secure.

In the software development lifecycle, there is an important phase where you design your system. It will include the architecture and the detailed design.

It can be viewed in the same way as creating a building, you will always start with the architecture of the building, the building's foundations (skeleton) have to be solid, everything has to be in the right place, right materials, etc.

Then you start to design the floors, define where the walls should stand, where the water and electricity pipelines will run through, etc.

As a buyer, you are not always aware, but security is also included in the planning phase: The strength of the ceiling, where water and electricity cables can run through, etc. What is the escape path in case of emergency? And many other questions that need to be considered in this early phase.

Same as in the building industry, the software industry also works in the same way. When you design your system, you should consider all the security aspects.

What is your surface attack, how do you protect your assets, and what are the right security controls, do you have any compliance and regulations that you need to consider.

The ironclad rule is what you don't take care of in the architecture & design phase will cost much more later.

Let's take an example.

You are developing a healthcare system, you have been working on it for a year, and just before the release, you understand that the HIPAA regulation requirements: that all your repositories must be protected at Rest (D@RE). And now at the last moment you find that the repository you choose is incompatible with the regulatory requirements.

You will need to replace the repository with a compatible one, change all the code that calls the repository, and of course, retest everything.

It may take months…

The following figure represents how the Development Lifecycle timeline impacts the cost of implementing security

The figure shows how the cost of adopting security controls increases significantly when you go out from the design phase into the implementation phase.

The reason is that any changes after the design phase will dramatically impact the cost. Because the team now has to pause development, investigate and spend time on rework. Extra time spent = money spent.

Conclusions:

1. Empower your architects and designer to think about security as early as possible

2. Ensure your organization has secured design control as part of its secure development lifecycle.

Stay safe,

Tomer