Blog Post

The Security Development Lifecycle: Where Proactive Controls Save the Day

Mark Goldin

Chief Technology Officer, Cornerstone

The connected world of HR technology is exploding, and more and more companies are trusting employee and company information in the hands of cloud software companies. The problem? Complex, public-facing cloud systems are hard to secure. That's just a fact. So, what can providers do about it?

The answer is simple: Detect and minimize security risks and threats in your product before they are released. But to do that, you need a well-defined strategic framework—a Security Development Lifecycle (SDL)—to guide product development and help ensure that security is baked in by various teams. This is a cross-functional effort with the Product, Development, QA, Security and Release teams acting together for the common good.

The SDL concept is not new, but growing pressure on software developers to adopt a formal framework is—especially when it comes to protecting critical and private employee information. Recent high-profile data breaches involving major retailers, financial institutions and government agencies have customers asking vendors more questions about security. They want assurance that developers are doing all they can to reduce risk and make safer products.

Instilling greater confidence in your customers is an important reason to adopt an SDL process, of course, but there are other benefits. Reducing the need for firefighting is a primary one. Think of the resources you need to deploy to respond to a security incident after your product has been released—the time and cost involved can be significant.

In fact, as Microsoft notes on its website about the "Benefits of SDL," the National Institute of Standards and Technology estimates that code fixes performed after release can result in 30 times the cost of fixes performed during the design phase. So, the bottom line is that it can be far more cost-effective to ask questions about security and address risks in the earliest stages of product development. Here's what you need to know about creating an SDL at your company.

Tailor the SDL Framework to Your Needs

SDL frameworks provide inspiration and tools for reducing software security risk, but you have to make sure you implement a framework unique to your organization's processes and culture. You will need to tailor your own blend of best practices to create a relevant and effective framework. Technical controls typically require particular customization and tuning based on internal process, technology and capability.

Process-based preventative controls include verifying that project-based security activities occur prior to release, while technical controls include static analysis and dynamic analysis security testing. Technical controls often require a security toolbox including tools like SIEM (Splunk), static source code analysis (Checkmarx), static binary analysis (Fortify), and dynamic analysis security testing (WhiteHat Sentinel, Burp Suite, ZAP). We also build custom scripts and have meaningful manual processes for verifying that new features are free of severe and common kinds of security defects, including SQL injection, command injection, cross-site scripting, and authorization issues.

That's what we’ve done at our company. Cornerstone's SDL framework is actually a hybrid of leading frameworks like the Microsoft SDL and the Building Security in Maturity Model (BSIMM). We've also added a core element that is a reflection of what Cornerstone is—a learning company. Continuous learning is the cornerstone of our SDL, with product security training forming the hub of our SDL "wheel":

Educate Your Team

Our goal is to make learning fun. We believe that education and training is the best proactive security control. For example, we have developed an application security game that is part of the mandatory curriculum for all of our technology personnel. It's multiple choice, but it's tough—and we can chart the progress of every developer as they move through that curriculum.

What we are doing at Cornerstone is advanced for the talent management space. And it's enabling us to confidently answer three vital questions customers ask in security RFPs and audits:

  • Do you have a strategic framework for secure product development?
  • Have you implemented some level of control that indicates maturity across those practices?
  • Do you conduct role-based application security training and measure the results?

We leverage our internal implementation of the Cornerstone LMS to deliver annual training on security policies and guidelines for all employees, and provide focused, role-based application security training for Dev, QA, and the technical personnel responsible for delivering code-shipping products. Additionally, we provide specialized training on SIEM, static analysis, and dynamic analysis security testing tools.

Further, Cornerstone is proud to be a member of Cloud Security Alliance, and frequently hosts monthly gathering in the Los Angeles area at Cornerstone’s Santa Monica headquarters. This educational forum helps keep Cornerstone ahead of the curve when it comes to cloud security.

Proactive Product Security

More importantly, our SDL framework allows us to confirm that we have done everything we could to build security into a product before we release it, answering key questions like:

  • Did we specify secure design requirements? Were they met/satisfied/followed?
  • Did we conduct secure code review? What did we find?
  • Did we perform dynamic security testing? What was the result?
  • Did we ensure new features were covered in per-release penetration testing? What was the outcome?
  • Is the product security incident response team aware of the new attack surface, and do they know who to contact in the event issues are found?

The whole concept of the SDL is to build proactive controls that reduce risk and the reactive need for firefighting. You developed a more secure product by bringing together all stakeholders at the outset—the product designer, the development lead, the quality assurance team, and others—to ask and answer, "What are we building? What are the risks? And what can we do to prevent them?"

What’s the conclusion? The program and process has to be ongoing since technology changes and employees take on new challenges. Updating the programs frequently is critically important. The process is iterative and meant to support a "Maturity Model" mindset.

Photo: Shutterstock

Related Resources

Want to keep learning? Explore our products, customer stories, and the latest industry insights.

Blockchain Poised to Improve Future HR Operations

Blog Post

Blockchain Poised to Improve Future HR Operations

This article was originally published on WorldAtWork. Blockchain has become somewhat of a buzzword over the last few years, but the technology famous for powering bitcoin has more utility than many of us give it credit for. In fact, blockchain has shown enormous potential in areas like real estate, capital markets, health care and financial services. Starting today, and continuing into the decade to come, blockchain will add human resources to the long list of industries it is sure to disrupt. Even in a rapidly changing work landscape, prompted by the global skills shortage that’s only been accelerated in a COVID-19 world, the fundamental things you need to know about a person — who they are, what their professional background is — haven’t changed. Roles and the demand for new skills have been affected, as has the increased ability to see an individual’s potential when matching them to a job. For those displaced workers who are eager to get back to work, employers can accept and instantly verify credentials, which include their employment and identity, a process that historically takes as long as two weeks to complete. So what, exactly, can HR managers expect to see as blockchain technology realizes its full potential? Here are several ways blockchain will add value to organizations over the next decade. Improving Job Matching The job description and the resume are both formats that are designed to match talent to need in an era when careers were more linear, and jobs didn’t flex with change nearly as much as they do now. The nature of work today includes more jumps between companies, roles or even skillsets than what the labor market saw in the past. Not to mention that employees today are constantly learning new skills and competencies — and not every single one translates specifically to a certificate or degree. The new resume should be able to reflect these credentials. Blockchain provides an opportunity to better understand the skills, work experience and other value a candidate brings to the table. It also helps us to see jobs in terms of their fundamental components, which can help match with better clarity, speed and accuracy than what is available today. When we can better understand how someone does their work, their attitudes and interests, and how they work with others, we can move past how long someone operated in a certain role and understand how their unique perspectives and background can match critical needs of a company to support growth. That includes external hiring, but even more critical in our current environment, what talent is already available within the company. A Better Baseline for Recruiting and Talent Acquisition The problem of "resume fibbing" has crept up over the last few years — and it only seems to be getting worse. A 2017 survey found that a whopping 85% of employers have caught people lying on their resumes, up from 66% five years prior. These stats are disappointing but not necessarily surprising. After all, with fierce competition from all-star candidates who boast Ivy League diplomas and experience at Fortune 500 companies, many job applicants feel the pressure to stand out. With blockchain, however, hiring managers looking to fill open roles with the most qualified people will be able to trust the integrity of the information candidates provide — and avoid misleading or completely false resumes that currently plague the industry. Blockchain can also help level the playing field by highlighting additional accomplishments and presenting information in a clear, objective way rather than weighting certain credentials, like a college affiliation, too strongly. And as a result, resumes become more than a list of an employees’ accomplishments. With the support of blockchain, candidates could provide employers with additional insight into what it might be like to work with them from the very start of the hiring process. Giving Applicants More Control Over Their Information When someone applies to a job, it can often feel like their information is going into a black hole. But with new data privacy regulations like GDPR in Europe and CCPA in California, people are becoming increasingly aware of how their data is being used and who has access to it. With blockchain, applicants have more control over their information and can request that their data be deleted. Instead of contacting all of the jobs they have ever applied to, they can make changes to their blockchain network and control who sees their data. Blockchain also enables applicants to set a time limit for how long a company can see their data. So, for instance, when someone applies to a job using their blockchain credentials, they can elect to only allow that company to access their information during the recruitment process. This functionality also benefits employers because they won’t need to manage expectations around compliance amid new data privacy regulations. Blockchain will do that work for them. Powering the Gig Economy With blockchain, someone who works multiple gigs will be able to add a portfolio of projects and skills to their blockchain record, helping them get hired quickly for the jobs they do best. As we continue to talk about the future of work, technological advances that bring artificial intelligence and machine learning into the workplace or home office tend to comprise the majority of the conversation. But it’s time we add blockchain to that list of innovations. By 2030, 30% of commercial activities will be supported by blockchain. There’s a lot of work to be done to bring the real-world applications of this technology to life, but one thing is clear: Blockchain has the potential to become a game-changing tool for HR departments and employees alike. Video of Blockchain in HR? - What the Future Ep 25

Cornerstone Among First Organizations to Achieve ISO 27701 Gold Standard in Data Privacy

Blog Post

Cornerstone Among First Organizations to Achieve ISO 27701 Gold Standard in Data Privacy

At Cornerstone, we’re on a journey to continuously demonstrate our commitment to data privacy and people protection. Today, we’re thrilled to announce that we’ve been awarded the ISO 27701 certification for our Privacy Information Management System. Considered to be the first globally recognized privacy certification, and aligned with GDPR, ISO 27701 is an extension of the gold standard in security. It requires organizations to adhere to a structured framework of information security and personal data protection requirements and outlines practical guidance for managing privacy programs. "With this new certification, we are bringing the power of people protection to all of our clients across the globe," explained José Alberto Rodríguez Ruiz, Global Data Protection Officer at Cornerstone. "We are focused on offering all organizations we work with the reassurance for how we handle their data, providing compliance reporting and career protection. Ultimately, this enables our clients to also gain the trust of their employees." Achieving ISO 27701 was a top priority for Cornerstone after it was enacted last fall. "We believe this certification marks a key milestone for both us and data privacy in general," said José. "It’s about more than protecting data: we protect the data to protect the people."

Assessing Cloud Vendor Security? Here Are the Acronyms You Need to Know

Blog Post

Assessing Cloud Vendor Security? Here Are the Acronyms You Need to Know

Security is obviously a top-of-mind concern for any business that wants to migrate data and processes to the cloud—especially when it comes to talent management, which requires protecting employees' sensitive personal data. But what's less clear is what to actually look for when evaluating vendors and assessing their security practices. It's even more complicated when you encounter the many acronyms associated with security standards and certifications. Here's a quick overview of certifications that talent management cloud services providers should already have or be working to earn, what they mean and why they matter. ISO/IEC 27001:2013 Published by ISO, an independent, nongovernmental international organization, ISO/IEC 27001:2013 is a standard that "specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization." In short, it's a set of rules and controls intended to guide the way a company manages information security. While ISO/IEC 27001:2013 began as a standard for companies in Europe, it is now embraced by businesses globally. Many companies now require cloud vendors to be ISO certified—and maintain that certification—throughout the life of a service contract. Keep in mind that being "ISO certified" and "ISO compliant" are different things. ISO certification shows that a company either meets all the requirements of ISO/IEC 27001:2013, or a specific subset of controls, and the status of those controls has been reviewed by an independent auditor. Certification is an ongoing process; auditors check requirements annually and look for improvement. Be sure to ask cloud services providers for an SOA (Statement of Applicability), a document showing which controls were in scope when the vendor was audited. "ISO compliant" means a company claims to follow the requirements of the ISO standard, but they have never been officially certified. This is acceptable practice. However, businesses should take time to review the provider's security measures, especially if the provider will be handling sensitive data. ISO/IEC 27018:2014 Many cloud vendors are in the process of adding the ISO/IEC 27018:2014 code of practice to their ISO/IEC 27001 certification. A newer standard, ISO/IEC 27018:2014 "establishes commonly accepted control objectives, controls and guidelines for implementing measures to protect Personally Identifiable Information (PII) in accordance with the privacy principles in ISO/IEC 29100 for the public cloud computing environment." Like ISO/IEC 27001:2013, ISO/IEC 27018:2014 will probably become a specific requirement outlined in many cloud service provider contracts in the future. SSAE 16 SOC 1 and SOC 2 The Statement on Standards for Attestation Engagements No. 16 (SSAE 16), also known as SOC 1, (SOC is "Service Organization Control") was finalized by the Auditing Standards Board of the American Institute of Certified Public Accountants (AICPA) in 2010. SSAE 16 describes service provider defined controls and is intended to help companies better understand the processes and procedures in place which helps build trust and confidence in the cloud providers service delivery process. SOC 2, based on AICPA Trust Services Principles and Criteria, outlines very specific controls for security and privacy amongst others, and is another compliance standard more companies are adding to service contracts for cloud providers. To demonstrate they are compliant with SSAE 16 and AICPA Trust Services Principles and Criteria, companies must present SOC 1 and/or SOC 2 reports. Request a cloud vendor to specifically present a "SOC 1, Type II" and/or "SOC 2, Type II" report, which confirms that controls have been tested. (Type I is simply a description of how a company runs controls.) Pay special attention to who audited the report; larger firms are generally more thorough with these types of audits. It’s important to read the report carefully to evaluate any control failures or exceptions the auditors may have noted. ISAE 3402 Type II This is the European version of SSAE 16 SOC 1, Type II. Cloud vendors don't typically need to have both attestations, but if they do it's a positive. FedRAMP The Federal Risk and Authorization Management Program, or FedRAMP, "is a U.S. government-wide program based on the National Institute of Standards and Technology (NIST ) Special Publication 800-53 Revision 4 that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services." The FedRAMP certification process is arduous, and it can take years for a vendor to achieve the "Authority to Operate" (ATO). So, if a cloud services provider is FedRAMP certified, it means their security practices and controls met a very high bar. To see which cloud providers are FedRAMP certified, see this list on the program's website. CSA CCM An emerging standard, the Cloud Security Alliance Cloud Controls Matrix (CSA CCM) is "specifically designed to provide fundamental security principles to guide cloud vendors and to assist prospective cloud customers in assessing the overall security risk of a cloud provider." The matrix (available for download here) is a control framework designed by the CSA; controls are mapped to other leading security standards, such as those described above. Cloud services providers are not required to use this framework. But if they do, or are working to adopt it, it suggests they have a very strong commitment to security. Ask cloud services providers if they have completed the CSA Consensus Assessments Initiative Questionnaire (CAIQ) or check the CSA STAR Registry to see if they have submitted. PCI The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that companies who process, store or transmit credit card information maintain a secure environment. In order to become certified, cloud providers who fall into this category must implement and maintain the standard. More on PCI can be found at https://www.pcisecuritystandards.org. The security requirements a cloud vendor should meet to protect a customer's data depends largely on the type of information they will be asked to handle. The more sensitive the data, the more important adherence to industry standards becomes. Regardless, all cloud services providers should be able to demonstrate to their customers exactly what they are doing to ensure security.

Schedule a personalized 1:1

Talk to a Cornerstone expert about how we can help with your organization’s unique people management needs.

© Cornerstone 2022
Legal