Security and Privacy for Software Development

Why Security and Privacy Can No Longer Be an Afterthought

In 2024, the average cost of a data breach reached $4.88 million — an all-time high. Yet the majority of vulnerabilities that lead to breaches are introduced during development, where they cost the least to fix. Security and privacy must be baked into the

from day one, not bolted on at the end.

1. Shift Left: Security in the SDLC

Shifting left means moving security activities earlier — into design and coding phases rather than waiting for pre-production testing.

• Threat modelling during design — Use STRIDE to identify threats before a line of code is written.

• Security requirements alongside functional requirements — Define what the system must NOT do (e.g. expose PII in logs) just as clearly as what it must do.

• Developer security training — Teams that understand the OWASP Top 10 write fundamentally safer code.

2. The OWASP Top 10

The Open Web Application Security Project maintains a list of the ten most critical web application security risks:

1. Broken Access Control — Users acting outside their intended permissions.

2. Cryptographic Failures — Weak or missing encryption of sensitive data in transit or at rest.

3. Injection — SQL, NoSQL, OS, and LDAP injection via untrusted data.

4. Insecure Design — Architectural flaws no implementation can fully mitigate.

5. Security Misconfiguration — Default credentials, open cloud storage, verbose error messages.

6. Vulnerable and Outdated Components — Using libraries with known CVEs.

7. Identification and Authentication Failures — Weak session management, brute-force vulnerabilities.

8. Software and Data Integrity Failures — Untrusted CI/CD pipelines, insecure deserialization.

9. Security Logging and Monitoring Failures — Inability to detect and respond to breaches.

10. Server-Side Request Forgery (SSRF) — Manipulating servers into making unintended requests.

3. Secure Coding Practices

• Input validation — Never trust user input. Validate type, length, format, and range server-side.

• Parameterised queries — Eliminate SQL injection by never concatenating user input into queries.

• Principle of least privilege — Database accounts, API keys, and service roles need only the permissions required.

• Secrets management — Store secrets in a vault (HashiCorp Vault, AWS Secrets Manager), never in source code.

• Dependency management — Run automated CVE scanning in CI to catch vulnerable packages before production.

4. Privacy by Design

Privacy by Design, codified in GDPR Article 25, means building privacy into architecture rather than adding it as a feature. Key principles include data minimisation, purpose limitation, and retention limits — collect only what you need, use it only for stated purposes, and delete it when it is no longer required.

5. Authentication and Authorisation

• Bcrypt for password hashing — Never store passwords in plain text or with fast hashing algorithms like MD5.

• Multi-factor authentication — MFA for all accounts, especially admin and privileged users.

• Short-lived JWTs — Access tokens should expire in minutes to hours. Use refresh token rotation.

• Server-side authorisation — RBAC or ABAC enforced on the server, never relying on client-side checks.

6. Encryption: In Transit and At Rest

• TLS 1.2+ everywhere — All client-server and service-to-service communications must be encrypted.

• Column-level encryption — PII, payment data, and health information encrypted at the database level.

• HSTS headers — Prevent SSL stripping attacks with Strict-Transport-Security headers.

• Key rotation — Rotate encryption keys regularly and store them separately from the data they protect.

7. GDPR Compliance in Code

For teams serving EU users, GDPR compliance requires concrete engineering work:

• Data Subject Access Requests — APIs that export all data held for a given user within 30 days.

• Right to Erasure — Soft and hard delete mechanisms that cascade correctly across services.

• Audit logs — Tamper-evident logs of who accessed or modified personal data.

• Consent management — Track, store, and respect user consent for each processing purpose.

8. Security Testing

• SAST — Static analysis tools (SonarQube, Semgrep, Snyk) scan code at commit time.

• DAST — Dynamic testing tools (OWASP ZAP, Burp Suite) test running applications for exploitable vulnerabilities.

• Dependency scanning — Automated CVE checks in the CI pipeline.

• Penetration testing — Annual or pre-launch professional pen tests for high-value systems.

9. Secure CI/CD Pipelines

The software supply chain is itself an attack surface. Pin dependency versions and verify checksums, sign build artefacts, use minimal hardened container base images, restrict pipeline permissions, and scan images for CVEs before deployment.

10. Building a Security Culture

Lasting security comes from a culture where every engineer considers security part of their job. Include security in the Definition of Done, run blameless security retrospectives, and create security champions within teams who multiply knowledge across the organisation.

Conclusion

Security and privacy are continuous disciplines that run through every phase of development — from architecture to deployment to incident response. The teams that do this well treat security not as a constraint on speed, but as a quality attribute as fundamental as performance or reliability.

At Smarteer, security and privacy are first-class concerns in every engagement. Get in touch to learn how we can help embed these practices into your development process.