The digital economy calls for solutions to be built with digital technologies from the ground up. However, this can result in a double-edged sword: The more a solution relies on digital mechanisms like open APIs, web services, open-source software libraries, cloud and web access over the public Internet, the more vulnerable it is to hacking, phishing, theft and other forms of cyber malfeasance that can damage reputations and financials.
In a recent study, 73% of respondents said they have at least one application or a portion of their infrastructure in the cloud. And even as use of open-source software increases, so does the risk, with a recent study finding a 53.8% increase in in the number of open-source application library security vulnerabilities.
While business leaders realize the importance of taking security seriously in their digital endeavors, they also struggle with how to ensure security can be ingrained into their software delivery. For example, many enterprises have a central security function or conduct security testing as a separate activity. This siloed approach is counterproductive to the Agile and DevOps techniques that businesses have adopted to accelerate time to market and improve productivity and efficiency.
Making Security Part of the Process
To compete with digital natives, legacy organizations need to “decentralize” security and make it part of their core development activities. This not only reduces delivery time but also helps with defect detection earlier in the lifecycle, decreasing the time needed to recover from failure.
To achieve this, organizations should examine four key areas:
- People: Focus on building an environment that encourages “security as code.” One way to do this is by educating your full-stack engineers on secure coding practices (e.g., communities such as the Open Web Application Security Project). In one of the teams I worked with at Cognizant, we introduced a rewards and recognition program to support behavior changes of engineers that reflected the philosophy of “Security is every engineer’s responsibility” rather than “Security is only the vulnerability assessment team’s responsibility.”
- Process: Adopt the concept of “secure SDLC” in your software development lifecycle (SDLC). This means incorporating security aspects into every step of the SDLC, from defining your requirements to deploying and monitoring your software. For example, in your Agile product backlogs, include security-related epics and user stories, and bring in concepts of threat modeling when designing user stories. Other ideas are to include security checks as part of your “definition of done” criteria, and embed security testing as part of the sprint testing cycles. When setting up your technical debt measurements, bring in adherence to security coding practices as part of your static code analyzers. This will help your team understand how much security debt is being incurred.
- Automate: Automation is key to reducing cycle time. Several tools on the market can be incorporated into the DevOps pipeline to automate secure SDLC activities. Tools like Threat Modeler can be used while detailing user stories, while tools like VeraCode and BurpSuite can help with security testing and scanning. Leveraging utilities like AWS Inspector can help with assessing security deviations for applications deployed on the cloud. I was alarmed by a recent report that highlighted enterprises continuing to download known vulnerable software versions. Automated DevOps pipelines with built-in security checks and tools can help identify and minimize such cases.
- Governance: Lastly, all these efforts need to be governed and monitored. While typical organizations have a chief security & risk office that sets security policies, the CSO usually struggles to understand how this role fits within developed and deployed software. Reports from the automation pipeline will help govern this. In areas where security is of utmost priority, businesses should incorporate dedicated roles as part of their Agile tribes or Agile release trains, such as security software engineers and testers or DevSecOps engineers (DevOps engineers with experience building secure DevOps pipelines). These roles can be part of the overall CSO hierarchy but work closely with the implementation teams for enabling an environment of “security as code.” When implementing a large digital customer experience transformation program for one of our clients, we set up a cross-functional squad with a mix of Agile and DevOps experts, as well as cloud and security engineers to cover the necessary focus and implementation of security aspects.
No matter where your organization is on its digital engineering journey – whether you’re struggling to start or ready to take the next big leap – it’s essential to include security in your solutions. By adopting practices across people, process, automation and governance, businesses can ensure this journey is safe and secure.