Eight Cybersecurity Practices Software Engineers Should Adopt and Support

Surprisingly, cybersecurity can be as simple as following best practices, which should ideally be baked into the corporate culture itself. Learn more in this article.

Importance of Cybersecurity

In today’s cybersecurity expectations, software engineers should prioritize the security of their computer systems and internal IT networks. I think it’s a mistake to rely heavily on technology because a lot of the risks are non-technical in nature. The internet can make businesses vulnerable to data breaches and ransomware, leading to lasting reputational damage. These non-technical risks can indeed be handled using technological solutions.

These incidents can also result in significant financial losses and potential legal issues. In my opinion, implementing strong cybersecurity measures is not only a technical requirement, but a critical initiative for any business looking to strengthen its defenses and resilience.

In this post, I want to make the case that software engineers should stop viewing security as the responsibility of security engineers and instead accept that it is their responsibility. You don’t need to be an engineering manager or executive to come up with and implement best practices. Software engineers should use the power of persuasion, data, and demonstrating return on investment to gently nudge their organizations in this direction.

Major cybersecurity incidents

(1) Equifax data breach

This is probably the most remembered breach and possibly one of the biggest security breaches of all time. In this incident, the social security numbers and credit card information of 144.5 million people were stolen. The breach occurred because a weakness in the web application framework was not fixed in time. This shows how important it is to keep your software updated in a timely manner.

(2) WannaCry ransomware attack

The attack caused lasting damage, crippling thousands of computer networks. The National Health Service in the UK was forced to use pen and paper to manage its facilities. The ransomware attack affected more than 200,000 computers in 150 countries around the world. It was caused by an unpatched Windows vulnerability.

(3) SolarWinds cyberattack

The cyberattack on the SolarWinds Orion platform was a relatively rare supply chain attack. Hackers inserted a virus into a software update. The breach affected many U.S. government agencies and private sector companies, highlighting the vulnerabilities associated with third-party software.

8 Cybersecurity Best Practices

1. Is there a data classification strategy and is it enforced?

No one knows data better than the people who write the software to process and manage it. Software engineers have a responsibility to use data as intended. Software engineers should drive robust data classification policies and enforcement mechanisms. At the end of the day, if there is misuse, software engineers will be held accountable, even if partially.

Data classification is the process of sorting data into different groups based on (a) how sensitive it is and (b) how much harm it could cause if seen by the wrong person. Such classification, though simple, is effective because there is a plan for data classification: we can ensure that important information remains safe and only those who should see it. It is also important to regularly check whether we are following the rules and make changes to the groups if needed.

2. Is there an inventory of data, equipment, and policies?

Software engineers should have enough tools, information, and guidelines to implement security. They should become supporters of such a culture, which will ultimately make their lives much easier.

Maintaining an up-to-date inventory of all data, devices, and policies is essential in any effective network security management system. Such a list helps you understand what data is stored where and how it is protected. It also ensures hardware documentation, software installation, and vulnerability identification configuration.

3. Conduct regular risk assessments and make improvement recommendations

One of the biggest tools in a software engineer’s toolbox is a threat model. It includes a blueprint of all the software components involved, the interactions between them, and the entry and exit points for customer requests. Asking each other tough questions helps us assess risk and avoid falling into the trap of unfounded assumptions.

Regular risk assessments enable you to identify threats or vulnerabilities in your development environment. These assessments must include internal and external factors, including employees and third-party vendors, as well as new cyberattack trends. Based on these findings, you must make recommendations for improvements to strengthen your organization's security posture.

4. Implement two-factor authentication (2FA) for all login attempts

Two-factor authentication provides additional security because users must provide two types of identification to access an account or system. Therefore, even if login credentials are exposed, this reduces the chances of unauthorized individuals gaining entry. Implementing 2FA on all platforms and applications is fundamental to protecting sensitive data.

While it may sound like an IT requirement, 2FA should be used to access all key software engineering platforms and portals. Do you want to log into a jump host in order to access a cloud environment? Make sure your workflows have 2FA enabled. If not, can you convince the people who manage the infrastructure involved?

5. Is there a company-wide password management system?

A password management system provides a secure way to store and manage passwords, allowing you to develop reliable and unique passwords for various accounts. It reduces the risk of password breaches and simplifies personal login credential management.

There may be many external systems that do not have single sign-on and we need to create another set of credentials, some of which can be shared with the team. A password manager is the best way to share these passwords or secrets between engineers and other employees - no more sending secrets via email or chat messages.

6. Security Awareness Training and Phishing Testing

Training employees on cybersecurity threats and best practices is essential to creating a security-conscious culture. Security awareness training should regularly cover areas such as identifying phishing emails, safe use of the internet, and proper data handling procedures. Phishing tests can be conducted occasionally to determine if employees are able to notice or report suspicious incidents.

As a software engineer, this is even more important if you use internal tools (which often provide broader permissions). Talk to your security team or IT department about security awareness training.

7. Encrypt all internal and external communications

Encryption ensures that sensitive information sent within and outside an organization remains confidential and secure. Robust encryption protocols should be deployed on all communication channels, including email systems, messaging applications, and file transfers. Thus, even if the information is intercepted in transit, unauthorized access to the information is prevented.

AES-256 is a good encryption algorithm for data at rest. For data in transit, it's best to use the defaults of whatever TLS library you're using for communication. They usually default to AES-256, but choosing the default ensures that we don't try any lesser-known, less-researched encryption algorithms. Even peer-to-peer machine communications should ideally use encryption. Using plaintext communication between endpoints on a private network is possible, but it requires a lot of experience to lock it down.

8. Is there an incident response plan?

A developed incident response plan helps guide an entity's actions during a cyber threat, such as a data breach or ransomware infiltration. It includes preventive measures, response protocols, recovery strategies, and communication procedures. Regular rehearsals and continuous improvements to the plan ensure that the organization is prepared for potential security emergencies.

In most cases, software engineers will be involved in an incident and they will bear the majority of the mitigation responsibility. Having a plan like this ensures that you, as a software engineer, know your roles and responsibilities.

Summarize

In summary, while these practices may seem simple at first glance, software engineers must remember their importance. Sometimes, good solutions are the simplest. With complex policies, there will be confusion, which is exactly what malicious actors want. These practices are more effective when they are integrated into the culture of the organization.