Regardless of your industry, if you are a product owner you should be concerned about the security posture of your product. You can assume that attackers will eventually find the vulnerabilities. Investing time and money up front to identify weaknesses in your system before they are exploited is well worth the cost in the long run. There are two approaches for how to go about this: do it in-house or use a third-party.

Securing via In-House Developers

Securing Your Product with In-House Developers

A common approach to securing your product is to use “in-house” developers. Fortune 500 companies might have an entire group dedicated to security, but more often than not, in smaller and mid-sized companies, the work falls to the very same people who designed and developed the system. Going the “in-house” approach certainly has a lot of advantages.

Advantages

Convenience – Using in-house developers to secure your product is certainly the most convenient approach, because you already have access to the personnel who can do the work. They are already onboarded as full-time employees, and they are already familiar with the project. You don’t have to spend time searching for the right company to perform a third-party assessment for you, and you don’t have to bother seeking approval to hire an outside firm and coordinate payment with your finance department.

Speed – Since the in-house developers are already familiar with the product, they will not have to spend time getting up to speed with the design and implementation of the system. They themselves have written the code, so they know the logic inside and out. They can move quickly and complete the security analysis most efficiently.

Cost Savings – Since you are in full-control of the in-house developers, you can tightly control the budget and directly throttle how much money you put into the security phase of the project. If the CEO says you only have the budget for one developer to spend two weeks on securing the platform, then you have the ultimate control to make that happen.

Disadvantages

While using your in-house developers to secure your product has several advantages, there are certain risks you are taking with the do-it-yourself approach. Consider the following potential downsides:

Blind Spots – If you use the same developers to improve the security of your product, the single greatest risk is that they will fail to identify all the potential weaknesses in the system. We humans have blind spots, and sometimes we fail to see the errors staring us right in the face when we are too familiar or too close to the problem. This happens all the time in relationships, and it happens just as often with design and implementation of technology. The risk of not seeing the potential security weaknesses of the system increases as the team size becomes smaller. When you have a single developer implementing the product, the risk of them missing security issues is escalated. As a mitigation, consider bringing in fresh perspectives by including members from other teams who are not already familiar with the product or its implementation.

Cost Overruns – We listed “Cost Savings” above as a potential advantage of going the in-house route, so how could it also be listed as a disadvantage? It’s because the cost savings of using in-house developers may only be a short-term cost savings measure. The trouble occurs when in-house developers fail to identify a weakness, and it comes back to bite the team in a big way later on. Failing to discover the weaknesses early in the design and development process can lead to very costly corrections later in the project. Components may need to be modified or completely replaced depending on the severity of the weaknesses that are discovered too late in the cycle.

Conflicts of Interest – One hidden downside to relying on the same developers who created the product to secure the system is the inherent conflict of interest. They just spent months or years developing the system, and then someone asks them to find all the problems with it. Nobody is naturally motivated to find all the problems with their work. The better job they do at finding the weaknesses of the system, the worse they look as system designers or developers. On the other hand, the quicker they gloss over any potential security gaps, the better they look and the quicker the project goes. It’s a short-term win with huge potential long-term implications.

Securing via Third-Party Auditor

An alternative approach to securing your product is to work with a qualified company that can perform a detailed security assessment of your product. Working with a third-party may not be as convenient as using your in-house developers, but putting in a little bit of effort to select an experienced company could pay dividends in the long run.

While using in-house developers may appear as the more expedient approach, there are many benefits to consider when working with a third-party to perform a security audit.

Professional Experience – There are many books and resources on the web that discuss software and network security, and there are many conferences all over the world dedicated to the advancement of security. Keeping up with the latest challenges and techniques in the world of information technology is a full-time job. While many developers might have an interest in security-related issues, most developers simply don’t have the time to keep up with everything. Security is a rapidly evolving field. It’s a cat-and-mouse game where hackers are continually pushing the envelope to develop new attack methods and security researchers are continually developing new technologies to anticipate or prevent these attacks. You want a highly skilled team with professional experience analyzing systems for security weaknesses.

Fresh Perspective – Another huge benefit of using a third-party to assess your security posture is that they will bring a fresh set of eyes to the table. A third-party is not burdened with the internal history and politics of the design and development teams. A third-party can analyze the design and implementation of the system without fear of reprisals or offending a fellow teammate’s ego.

Incentive – Third-parties are inherently incentivized to identify all potential securities in the system. You can rest assured that any good security assessment will take a magnifying glass to every aspect of the system, looking for any signs of possible weaknesses. No security auditor ever wants to come back to the client and say, “Well, looks like your system has no security weaknesses!” The truth is there are always security weaknesses to be found, and a good security auditor will be highly incentivized to identify them, as their reputation depends on it.

Types of Security Audits

There are several different types of security audits and some may be more applicable to your product than others.

Architecture Design Review – If you have the luxury of working with a security auditor early in the product development pipeline, then you would definitely benefit from having them perform a review of the system design. An experienced company can identify potential problem areas early on and suggest certain design paradigms to use or avoid to eliminate potential problems down the road.

Source Code Review – Another potential approach is to hire an independent firm to perform a source code audit of the system’s software. As we mentioned earlier, a third-party will bring a fresh perspective and will be more likely to spot trouble spots that were overlooked by the development team.

Penetration Testing – The ultimate test of the system is to ask an independent firm to perform a penetration test of your system. You would give the company full access to the system at whatever privilege level you desire and they will look for security vulnerabilities that could be exploited by an attacker. One thing to consider with a penetration test is how much information you would like to provide to the auditor. There’s a trade-off to be made here. On the one hand, if you don’t give the auditor any kind of protected information, such as the source code for the system, then the penetration test will be more realistic. On the other hand, giving them as much information as possible, such as access to the full source code, will accelerate their progress and allow them to find more potential vulnerabilities. In general, we recommend giving the auditor all information possible about the system, because this will result in the most findings and allow you to more fully secure your product.

 

Choosing a Third-Party Security Auditor

Finding a qualified company to help you secure your system is not a trivial matter because this type of work is so specialized. Word of mouth is always a great place to start, but you may find yourself in a position where you can’t get any recommendations from your colleagues or associates at other companies. Of course, Google is your next best option. You’ll want to search for companies that understand software and network security and particularly as it relates to your product platform. Some company’s are highly specialized and may only focus on one technology, such as BlueTooth. Other companies have a greater range of expertise and can analyze the entire system. If you are only concerned about the security of one particular interface, then you should find a company with that specific experience. On the other hand, if you are concerned about the security of the entire system, look for a company with a breadth of experience. Companies with a more generalist-type background may not be able to go as deep on a particular component, but they will do a better job assessing the bigger picture at the system level and you will get more bang for your buck.

Here are some important things to look for in a third-party security company:

  • Experience – You want to see that the company has experience performing security audits relevant to your product platform.
  • Reputation – If you have never heard of the company before, ask if they will provide references so you can speak with past clients.
  • Availability – Discuss your scheduling needs up front to ensure the company’s availability aligns with your timeline. There’s no point in discussing the project further if you need results within three weeks and they are booked for the next six weeks.
  • Budget – Ask the company for a proposal to make sure the expected costs line up with your budget. Make sure you understand how the job will be executed, with either a Fixed Price or Time and Materials contract. Depending on your needs, one or the other might make more sense.
  • Expectations – Be clear about the scope of the job. If you expect certain components to be analyzed, make sure this is clearly spelled out in the proposal and purchase order. You don’t want to be reading the final report and realize some aspect of the system was not fully analyzed because of a miscommunication.

 

Syscall 7 performs security assessments for a wide range of technologies, including bare-metal embedded systems, Android-based systems, Linux, Windows, and cloud computing architectures. Reach out today to speak with something who can help you assess your situation.

Contact Us

About the Author: Anthony DeRosa

Anthony DeRosa is a software security researcher with 20 years of experience in static and dynamic reverse engineering. He holds a Masters degree in Electrical and Computer Engineering from Johns Hopkins University. He is the founder of Syscall 7, a software development and analysis firm based in Baltimore, MD. He serves as an expert witness in technology-related litigation and currently leads a team of engineers supporting patent infringement litigation through source code analysis, software reverse engineering, and runtime testing.