Software security best practices

Issue 4 2023 Infrastructure


Paul Meyer.

With every purchase of new technology or software, age-old concerns around the availability of supporting skills crop up. There are always questions about sufficient, certified internal skills or recruiting new talent, outsourcing services, or paying premium vendor professional services rates to get the deployment done as quickly and effectively as possible.

The latter is basically the only option if you wish to safely adopt new technologies in any business with confidence. Of course, there is also the consideration of the level of after-sales support to be employed and at what cost.

This is a much bigger issue than the consideration it receives, according to OWASP CICD-SEC-7, “an insecure system configuration risk stems from flaws in the security settings, configuration, and hardening of the different systems across the pipeline, often resulting in low-hanging fruits for attackers seeking to expand their foothold in the environment.”

Because businesses are under constant pressure to innovate, update and expand, system administrators and engineers are not afforded the time necessary to research security and vendor best practices, let alone the time needed to adapt and configure these practices to meet unique commercial requirements and IT-flow processes. This can lead to hastily deployed production software that introduces brand new security vulnerabilities directly into the enterprise.

Most vendors supply free best practice guides and high-level training via different means including shadowing deployment, but this takes time and a minimum level of existing knowledge to complete and most certainly does not ensure quality or secure rollout. With security products in particular, remediation of misconfigurations and security flaws takes a lot longer and often requires a total rebuild of the solution to negate these defects. In some cases, the solution might not function as expected at all, and identifying the underlying cause can be both a time-consuming and costly exercise that will eventually involve either vendor support or professional services.

Vendor professional services

Consider that when you employ vendor professional services, you are smashing the responsibility ball back into the vendor’s court with the goal of getting the deployment completed quickly, securely, and effectively with clear timelines and expected outcomes. Although it might seem expensive at first, bear in mind that it will only be done once for a vendor to fulfil their end of the professional services agreement on professional services.

Make no mistake, the vendor will include everyone necessary to get it done right in the shortest time possible. A misconfiguration or insecure deployment can cost you significantly more. Use of vendor-supplied default configurations or default login usernames and passwords is a recipe for disaster, and they usually remain insecure and easily exploitable.

Many software and hardware products come out of the box with overly permissive factory-default configurations intended to make the products user-friendly and reduce the troubleshooting time for customer service. However, leaving these factory default configurations enabled after installation may allow attackers to exploit them. Network devices are also often similarly pre-configured with the aim of simplifying deployment. Default credentials may be physically labelled on the device or even readily available on the internet. Keeping these default settings creates opportunities for malicious activity, including gaining unauthorised access to information and installing malicious software. Network defenders should also be aware that the same considerations apply to extra software options, which may come with preconfigured default settings.

Cyberthreat actors routinely exploit poor security configurations, either misconfigured or left unsecured; weak controls and other poor cyber hygiene practices to gain initial access, or as part of other tactics, to compromise a victim’s system.

In conclusion, if you are adopting new technology in your enterprise, always consider vendor professional services for the initial deployment unless you have certified and experienced in-house skills. This negates the risk of insecure deployment, over extended deployment periods and creates an opportunity for your engineers to shadow on the deployment and learn hands-on. It will most likely cost you less in the end, the experience will be a lot richer and will also lead to a healthier vendor relationship on a technical level.

Find out more at iOCO, +27 11 607 8100, solve@ioco.tech, https://ioco.tech/




Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

From drone market growth to application-level commercialisation
IoT & Automation Infrastructure
After years of pilot projects and technology validation, the question for the market is shifting from whether drones can fly safely and collect data, to where they can deliver repeatable operational value at scale.

Read more...
AI-enabled NVR for Milestone XProtect
Surveillance Infrastructure Products & Solutions
As surveillance environments continue to grow in scale and complexity, organisations need infrastructure that is easy to deploy, simple to manage, and ready for AI-driven workloads.

Read more...
Industry perspective on industrial cybersecurity
Technews Publishing News & Events Infrastructure Industrial (Industry)
The Industrial Security Harmonization Group has released a joint industry perspective highlighting a critical truth in industrial cybersecurity: secure communication is not determined by protocols alone, but by how they are deployed and managed in real-world environments.

Read more...
Cyber resilience is the real defence
Security Services & Risk Management Information Security Infrastructure
Cyber resilience has evolved into a form of strategic agility, ensuring that when an interruption occurs, the business does not just survive; it snaps back into place before the market even notices a pause.

Read more...
Power, performance and profit
Power Management Infrastructure
Electricity remains the single largest operating cost for most data centres. In many African markets, power infrastructure is ageing or inconsistent, forcing operators to rely on backup generation to keep facilities online.

Read more...
Five signs your storage is holding you back
Infrastructure Surveillance
In the drive for business growth, organisations across South Africa are investing heavily in talent, applications, and strategy. Yet the foundational technology that underpins every digital interaction - data storage - is often overlooked.

Read more...
Service robot technology for residential complexes
Suprema AI & Data Analytics Infrastructure Residential Estate (Industry)
Suprema has signed a three-party memorandum of understanding (MOU) with Hyundai Motor Group Robotics LAB and Hyundai Engineering & Construction (Hyundai E&C) to collaborate on advancing residential complexes through service robot technology.

Read more...
Genetec launches Cloudlink 2210
Genetec Infrastructure Surveillance
New cloud-managed appliance addresses the practical challenges when adopting a cloud-managed model at scale, including storage costs, support for devices that do not enable direct-to-cloud connectivity, and the need to maintain local operation during connectivity disruptions

Read more...
Proactive estate security in Cape Town
neaMetrics OneSpace Technologies Technews Publishing SMART Security Solutions Fang Fences & Guards ATG Digital Editor's Choice News & Events Integrated Solutions Infrastructure Residential Estate (Industry)
SMART Security Solutions started the year with our annual SMART Estate Security Conference in Cape Town on 26 February 2026. Held at Anna Beulah Farm, the conference saw a number of delegates enjoying the farm’s excellent cuisine, while listening to outstanding presenters.

Read more...
AI projects are failing at alarming rates
AI & Data Analytics Infrastructure
As organisations around the world accelerate their investments in artificial intelligence, digital transformation and data analytics, a growing number of industry experts are warning that many companies are still approaching these initiatives in fundamentally flawed ways.

Read more...










While every effort has been made to ensure the accuracy of the information contained herein, the publisher and its agents cannot be held responsible for any errors contained, or any loss incurred as a result. Articles published do not necessarily reflect the views of the publishers. The editor reserves the right to alter or cut copy. Articles submitted are deemed to have been cleared for publication. Advertisements and company contact details are published as provided by the advertiser. Technews Publishing (Pty) Ltd cannot be held responsible for the accuracy or veracity of supplied material.




© Technews Publishing (Pty) Ltd. | All Rights Reserved.