Key Controls for A New

Military Recruitment
Software Platform
By Cyber Force
How we reviewed the priority?

This is a defense system for military recruitment – therefore will store highly critical
information potentially meeting requirements of official secrets act. We believe the CIA
triad in order of importance is as follows:
• Confidentiality
• Integrity
• Availability
Therefore, for the order of importance we are reviewing the controls using confidentiality
is our top priority. As well as considerations around the cost of controls.
 Hierarchy of the Controls against Threat and Actors in
Military Recruitment Software Devlopment
The below controls are from research into best practice for secure
applications, we have ordered them for this application in Plum:
1. Encrypt sensitive data
2. Implement multi-factor authentication
3. Use secure coding practices
4. Use Security Testing
5. Train employees on cyber security best practices
6. Monitor systems for cyber threats

https://devtalents.com/cyber-security-during-software-development/
 Encrypting Sensitive Data
Plum Ltd. needs to implement firm measures to keep defense private data secure. Presuming that data is not
encrypted currently, here below there are controls that should help with data security. Encryption needs to be
at rest and in transit.

Controls
Classify data depending on importance (sensitive data , general data , temporary data )
Enable data encryption (Symmetric, Asymmetric)
Use data masking (Makes private information unrecognizable in a way that there no actual value for hackers)
How to implement encryption into Apps
1. Review what needs to encrypted
2. Choose encryption algorithm
3. Generate encryption keys
4. Implement
5. Test
 Multifactor
Authentication
- MFA is a security process with multiple stages of
user verification to access a system. It is more
complex and secure than just a single password.
- MFA should be implemented in back-end access
to the software and end-users access.

MFA Methods Process Threats Mitigated

Token-based credential exchange and once Malware, password phishing, cross-

Authentication verified, service issues user an site request forgery(CSRF), cross-site
(e.g. tokens, soft encrypted token to authenticate scripting attacks(XXS)
tokens, SMS tokens) current session only.

Digital certificate/ User is issued a small device Unauthorised access, counterfieting,

Physical Tokens (e.g. (fob, card or USB), containing a digital credential theft, phishing attacks
smart cards, key cards) certificate that binds an encryption
key with the user's identity and can
be used to grant access.
Biometrics (e.g. Unique physical characteristic of the Unauthorised access (false
fingerprint, handprint, user positives/negatives), identifty
Facial scan etc) theft/fraud, credential stuffing, brute-
force attacks, can be used across
different systems without the need
for passwords
Use Secure Coding
Practices

• Threat mitigated – code with vulnerabilities being

developed
• How can this be done
o Developers to follow OWASP secure coding principles –
depending on skills of developers this might require
retraining in this way of working, or new staff.
o Implementing peer review practices into the coding process
as standard - shouldn’t cost but code add time to process.
o Ensure that any third party code used is also vulnerability
free before use – STAT scanner (open source and free
available)
o Supportive tooling for developers e.g. security hints – free
tools available
o Consistent style of coding – might need training to ensure
this and will need communication between team member
e.g. slack channel
 Security Testing • Key benefits of Security Testing include:
• Sensitive data protection: Security testing identifies and mitigates vulnerabilities that
could lead to data breaches.

The goal of the process is to • Improves stakeholder trust: When customers and other stakeholders know their data is
protected, they are more likely to trust and engage with a company’s products and
discover potential security services.
breaches, misconfigurations, and • Supports compliance efforts: Regulations and industry standards like GDPR, HIPAA, and
malicious code which could PCI DSS require organizations to adhere to strict security standards. Security testing helps
compromise the system. in ensuring that the application meets these legal and regulatory requirements, avoiding
heavy fines and penalties for non-compliance.

Security testing methods include Best Practices for Effective Security Testing
penetration testing, vulnerability
scanning, and code reviews. Shift Security Testing Left - Shifting security testing left involves combining security
practices early in the software development lifecycle (SDLC).
Conduct Comprehensive Testing Throughout Development - Conducting security
tests at various stages of the SDLC is important for finding out different types of vulnerabilities.
Perform Comprehensive Risk Assessments - Comprehensive risk assessments include
checking the potential threats and vulnerabilities within an application and their potential
impact.
Monitor and Analyze Security Metrics – Essential for understanding the effectiveness of
security measures and identifying areas for improvement.
Collaborating with Security Experts - Collaboration between developers, IT operations
staff, and security experts, a.k.a. DevSecOps, brings specialized knowledge and skills to the
development process, enhancing the overall security of the application.
Regularly Updating and Maintaining Security Measures - Regular updates and
maintenance of security measures are essential to protect against evolving threats.
 Training Developers on Cyber security best Practices
Training developers on cybersecurity best practices can effectively
mitigate several key threats, including:
• Injection Attacks (SQL Injection, Command Injection): - Educating developers
on input validation and parameterized queries reduces the risk of injection
attacks, which exploit vulnerabilities in application code.
• Cross-Site Scripting (XSS): - Training on proper output encoding and the
content security policy can help prevent XSS attacks, where malicious scripts
are injected into web pages viewed by other users.
• Insecure Code: Developers learn secure coding practices to eliminate
vulnerabilities like hardcoded secrets and buffer overflows.
• Sensitive Data Exposure: Training developers on data encryption and secure
storage practices can prevent the accidental exposure of sensitive
information, such as personal data and passwords.
• Authentication and Authorization Flaws: Educating developers about proper
authentication mechanisms (like multi-factor authentication) and role-based
access control can help prevent unauthorized access to applications.
• Insecure APIs: Teaching best practices for API security, including
authentication and input validation, mitigates threats from insecure APIs
that could be exploited by attackers.
By focusing on these areas through targeted training, organisations can
significantly enhance the security on their software and reduce the risk of
various cyber threats, ultimately contributing to a more robust security
posture.
Monitor Systems For
Cyber Threats
• Monitoring systems during software production significantly enhances
cybersecurity by enabling early detection of vulnerabilities, faster
incident response, improved visibility into system activities, and
proactive risk mitigation
• Security Information and Event Management (SIEM) tools like Splunk,
SolarWinds Security Event Manager, or a similar solution collect and
analyze data from various sources to detect and respond to security
incidents effectively
• By implementing system monitoring, potential security issues can be
identified early into the development cycle allowing timely remediation.
• Vulnerabilities can be addressed proactively before they can be exploited
by attackers
• Monitoring systems facilitate a more efficient and targeted response by
quickly pinpointing the source of a security issue.
• Monitoring also helps organizations demonstrate adherence to industry
security standards and regulations by providing detailed audit trails and
evidence of security controls in place.