Cyber Security Responsibilities of Roles Involved in Software Development

Building secure software is crucial as a vulnerable software would be an easy target for the cyber criminals to exploit. There are people, process and technology forming part of the software supply chain and it is very important that all of these plays a role in securing the supply chain. While process and technology play the role of enablers, it is people who should buy-in and adapt to the mindset of ensuring security in every aspect of their routine work. People's understanding, awareness, and active participation in security practices throughout the software supply chain directly impact the software's overall security posture. This includes developers implementing secure coding techniques, security teams identifying vulnerabilities, and everyone involved staying updated on the latest threats and best practices to prevent potential security breaches.

Whatever said and done, the root cause of a vulnerability in a software ultimately boils down to people, because someone somewhere had missed something and thus a security defect creeps in to the supply chain and shows up as a vulnerability. It could be a missed requirement by the Business Analyst or a simple coding mistake by a developer. So, everyone involved in the software development right from gathering requirements to deployment of the software in production environment need to have the sense of cyber security in what they do. Even those involved in support and maintenance of software systems also has a role in keeping the software secure.

With that context, let's dive into the cyber security responsibilities of various roles involved in the software supply chain.

Product Owner / Product Manager

While some organization may have both the roles some may have only one of the above role. In any case, be it Product Owner or Product Manager, those assuming such role shall ensure to pay attention to security and data protection requirements of the product that they manage.

Product Owners are responsible for delivering maximum value and excellent end user experience. In the SaaS world, they act as a link between stakeholders, development teams, and end users – ensuring the product meets business goals and specific user needs. In today's digital era, security and data protection is a key consideration and is fundamental to the value delivered. Security lapse may easily break the trust and thus make the product useless in no time.

Given this, the Product Owners should know how to protect the product from the dangers and threats of the outside world. To effectively, ensure that the product is reasonably secure, the Product Owners responsibility should set the security and data protection as priority in every phase of the product lifecycle. 

Business Analyst

Business Analyst's role is critical in software development, as it is them who will at the front line, gathering, eliciting and documenting the functional and as well as non-functional requirements for a software product. It will be most beneficial in terms of efforts, if the business analyst could anticipate and call out potential data protection and security requirements for a software product. 

A business analyst's security responsibilities include: 

• identifying potential security risks within business processes.
• ensuring data privacy by analyzing data flows.
• recommending security controls during project planning.
• communicating security concerns to stakeholders.
• staying updated on emerging security threats to incorporate into their analysis.

Essentially the business analysts should act as a bridge between business needs and security requirements. Depending upon the sensitivity and criticality of the domain that the software product caters to, the the responsibilities may extend beyond what is stated above.

Software / Solution Architect 

Software and solution architects play distinct but intertwined roles in developing and implementing IT solutions. Software architects focus on the design and implementation of software components, while solution architects bridge the gap between business needs and technical solutions, ensuring alignment across the entire IT landscape.

Software and Solution Architects play a critical role in ensuring cybersecurity within the software supply chain. Their responsibilities span multiple areas, including designing secure architectures, enforcing compliance, and mitigating risks associated with third-party dependencies. 

Here are some key responsibilities of Software and Solution Architects:

• Ensure zero-trust architecture principles are embedded in design.
• Define and implement security controls for third-party integrations and dependencies.
• Integrate automated security testing (SAST, DAST, SCA) into CI/CD pipelines.
• Conduct risk assessments for third-party software components.
• Monitor for vulnerabilities in open-source and third-party libraries.
• Enforce code signing and provenance verification.
• Establish remediation workflows for compromised dependencies.
• Ensure compliance with NIST 800-161, ISO 27001, and / or such other supply chain security frameworks.
• Align the solution design and security practices with applicable government regulations.

At a minimum, the Software and Solution Architects shall ensure integration of security in the early stages of design and adherence to the Secure Software Design practices which include implementation of Secure Defaults, Least Privilege Principle, Defense in Depth, Secure Configuration Management and Security Testing.

Software Developers

Software developers are the ones who create the application in line with the business requirement and the technical design by writing code. It is important that they understand and interpret the business requirement and technical design in the same way the business analysts and architects have envisioned. 

Off late exploitation of vulnerabilities has been among the most used methods by the cyber criminals. Given that trend, software developers play a crucial role in creating / building secure software, ensuring that the applications remain resilient against cyber threats. Their responsibilities span across secure coding, dependency management, and proactive risk mitigation. 

Here are the key responsibilities of software developers:

• Ensure strict adherence to the secure coding standards to prevent vulnerabilities like SQL injection and buffer overflows.
• Scan software with automated security testing tools (SAST, DAST, SCA).
• Ensure secure CI/CD pipelines to prevent unauthorized code injections.
• Validate checksums to ensure integrity of downloaded dependencies.
• Use lock files to prevent unintended updates to third-party libraries.
• Enforce code signing to verify authenticity of software components.
• Use artifact signing to prevent tampering.
• Develop remediation workflows for compromised dependencies.

QA engineers / Testers

A Software QA Engineer plays a crucial role in security by ensuring software is free from  vulnerabilities. More specifically, their role is very relevant in preventing various injection vulnerabilities by ensuring that the inputs from all sources are properly sanitized and validated before processing. Besides, they are expected to ensure basic authentication and authorization, password rules, MFA requirement, data leak prevention, etc.

The key responsibilities of QA Engineers include:

• Ensuring that proper authentication and authorization is in place.
• Sensitive data is identified and restricted to authorized users only.
• All inputs (through all sources) are sanitized and validated at server side, before processing.
• Data in transit is encrypted and sensitive data is not transmitted in plain text
• Review and test documented feature specific security requirements.
• Ensure regulatory compliance requirements are documented and test the same.
• Test Data downloads to ensure that appropriate level data masking, encryption or password protection for the downloaded files are implemented
• Look for bulk downloads, which shall be restricted to authorized users only.
• Ensure that the error / exception messages doesn't reveal any sensitive environment / technology details.
• Ensure that all uploads are restricted for appropriate file types and file size.

DevOps Engineer

DevOps engineers are IT professionals who oversee code releases and the relationship between development and IT operations teams within an organisation. They aim to establish a culture of collaboration between teams that historically have been siloed. DevOps seeks to automate and streamline the build, test and release processes via a continuous delivery pipeline. 

DevOps engineers play a key role in ensuring supply chain security. focus on the continuous integration and continuous deployment (CI/CD) pipeline. With security included, their function transitions to DevSecOps.

Their security specific responsibilities include:

• Ensure that the authentication keys and other secrets associated with the DevOps pipeline are maintained securely, preferably within a Secure Key Management Service.
• Ensure automated static and dynamic application security testing (SAST & DAST) is performed to ensure that the code and the dependent components are free from any vulnerabilities.
• Ensure that the packaged image or code is free from vulnerabilities by performing automated scanning.
• Review and ensure that the deployment script is free from any external injections.
• Ensure that all changes to the deployment scripts impacting the infrastructure configuration are subject proper change management process with requisite approvals.

Production Support / Help Desk Engineer

The production support engineers are the ones who face the customers who report issues in production systems. They extend L1 support and to understand and diagnose the issues reported they may need additional inputs / data for which many organizations just grant them read only access to production databases. This would be the biggest risk, as they are the easy targets for the hackers to gain access to the database. While read-only access may protect the database from unauthorized modification, it would not prevent from data leakage.

Ideally, production support engineers should never have direct access to database, instead they may have a CRM kind of controlled interface to query data pertaining to the one customer (or entity) at a time. Such interface shall have a log of all activities performed.

Here are some of the key responsibilities of the production support / helpdesk engineer:

• Ensure to establish the identity of the caller / customer being serviced and share only the data pertaining to such customer or entity.
• Ensure that while sharing such data, sensitive data is appropriately masked.
• If access to database is absolutely necessary, request for temporary access, so that such credentials are revoked immediately after its intended use.
• Use MFA and / or stronger password and keep the credentials safe.
• Never leave the system unattended.

Conclusion

Each role in the software development lifecycle has a unique set of responsibilities when it comes to cybersecurity. By understanding and implementing these responsibilities, software developers can significantly enhance the security posture of their applications, ensuring a safer digital environment for all.

Remember, cybersecurity is a team effort—everyone plays a part in keeping data safe!