Secure or not?

It's a trap to think there is a check box for security

Published: Monday, Mar 8, 2021 Last modified: Saturday, Oct 16, 2021

After browsing Singapore’s TRM Guidelines from the MAS, it just struck me what I don’t like about it.

The claim that something is secure or not.

6.2.2 The financial institution (FI) should ensure secure coding, source code review and application security testing standards are applied during Agile software development.

A fair reading of this secure coding requirement would suggest to me, employing say a security linter like gosec via some continuous integration aka CI.

However there is a couple of problems with this:

  1. Insecure code can pass through a linter
  2. There is no such thing as secure anything
  3. Security vulnerabilities will be more likely to be found after not during development.

How might one address these issues?

  1. Might not be solvable until an incident occurs, you’re best chance is to have continuous delivery in place, to be able fix the problem in a timely manner!
  2. Accept there is no checkbox for something to termed “secure”. Build security in with the shift left approach. Have a security champion in your team.
  3. This requires specialised tooling especially if you do not deploy with CI every day on your dependencies (e.g. npm audit)

My colleagues in China have BuildSecurityIn to explain a methodology with security built into your development process. I’m confident the authors of the TRM document from MAS want the same thing, though I’m just nitpicking about how to express that.

Retorts: Roland suggests I am reading the TRM too closely 🤣