When I talk with developers about application security I hear a recurring theme: “Sure, security is important, but I am under immense pressure to deliver end products quickly.” I know the pressure they face is tremendous, which is why my advice to them is this: It’s not an either/or choice. Essential security and agile development can, and I would argue must, exist together.
Today a growing number of organizations have already embraced DevOps to bridge the gap between developing and operationalizing applications. Take that one step further by adopting DevSecOps, and developers will find themselves operating in an environment infused with security throughout application development, operations and maintenance. In the end that means more efficient use of resources and reducing time and risk for themselves, their organization and the citizens they serve.
How? DevSecOps brings together both security and development teams to establish, maintain and enforce a continuous loop of ever-evolving best practices for secure development. By integrating security experts into the development process from the beginning, the whole business has a better understanding of the steps being taken to safeguard applications and data. It also ensures that security experts participate directly in critical trade-off decisions to better balance business needs, coding resources and security requirements. In essence, it puts the security approval process on “fast forward”—accelerating launch by continuously closing the loop between development and security validation.
Security by Design, or DevSecOps, is a topic we explore in greater detail in our application security white paper: Integrating Dynamic Defense into Software Development. In our paper we outline the Good, Better and Best path to DevSecOps in greater detail. For now, here are three things to consider as a starting point:
1. Set and enable standards. A secure technical architecture integrated within the overarching business and security architecture is a critical first step to effective application security. You need clear enterprise standards for secure development and application operations. But those standards don’t have to be homegrown. Consider taking advantage of industry standards, such as Open Web Application Security Project (OWASP), to accelerate the process of codifying and adopting appropriate practices.
2. Model threats to assess risk. A standard technical architecture is critical to security; so is an understanding of the context in which an application will be used and the infrastructure in which it will operate. Threat modeling considers that context in assessing the likelihood that a system will be a target. With those insights, you can develop appropriate safeguards.
3. Test to identify vulnerabilities. Testing remains a key enabler of application security. Instead of saving it for the very end of the software development lifecycle, make it part of every development sprint. Static code analysis (SCA) uses basic testing to identify and flag areas with common mistakes. Complement that with static application security testing (SAST, or “white box testing”) to see if the application can be penetrated, as well as dynamic application security testing (DAST) to evaluate security when an application is running.
Although this transformation doesn’t happen overnight, starting with these three steps will set you on the path to the ultimate goal of Cyber Resilience.
In Defining a Cyber Moonshot, we outline five actions—including DevSecOps—that we must take to enable cyber resiliency. I’ll share more about each of these in the coming months. In the meantime, take a look at the full paper today and join us in our quest to ignite a nationwide Cyber Moonshot.