Software Security in Production

Ishan Liyanage
2 min readMar 21, 2021

Here we talk about the production stage in the software security and why it is such an important phase.

You might wonder why do we have this phase at all as system is already in production.

The goal of the production phase is to make sure the system is still secure even in production. Its not enough that the system is secure when it went live but it should continue to be secure.

We should continue to be vigilant and look for new security related threats and potential attacks.

System security is an on-going process that never ends. The system that was secure one year ago might no longer be so. New risks show up almost everyday. New viruses, threats appears all of the time and present new risks.

How do we make sure the system is still secure?

There are mainly two ways. We need to do,

  1. Security Review
  2. Penetration Testing

Security Review

As mentioned before, the software security is not static and new security threats are always developing. We hear about new virus, worms and security flaws almost daily basis. We must make sure the system is protected against new threats.

Once in a while, for example once per month we should conduct a security review. This security review is actually a meeting which ideally should include all the participants in the project. In this meeting we can review new security threats published world wide and advisories issues related to components used in the system such as third party libraries.

After discussing new threats, we can plan for changes accordingly. For example, if we got to know the DB version we used is vulnerable, we should upgrade it.

Penetration Testing

We have discussed about this earlier in detailed.

When the system is in production, we can conduct penetration testing once is a while. Our goal with this repeating test is to make sure the system is still secure and no new vulnerabilities were introduced. Also this will make sure new changes did not affect the system’s security.

After the test, we should analyze the results and plan for changes accordingly.

Conclusion

We should conduct security reviews periodically after the system go live. We must be aware about new threats and potential threats to the system.

We should review penetration test result and its finding too.

Then we should plan changes accordingly and continue to secure the system as much as possible.

--

--

Ishan Liyanage

Passionate Technical Lead, Senior Software Developer and free and open source software advocate. Based in Singapore.