It's time to demand security by design
If you're not infusing security practices into your development efforts from the early states, you are setting the stage for a risky and potentially devastating outcome. One where you lose valuable time and money, and expose your organization to security risk.
In our Cyber Moonshot paper we identified Security by Design as one of five essential elements of achieving cyber resilience: Security must be engineered into the core of every system from the start.
Adopt a DevSecOps approach
Over the past several years, DevOps has gained in popularity as a proven way to bridge the gap between developing and operationalizing applications. DevOps is an enabler that delivers automation, repeatability, agility and speed across the entire lifecycle.
Now, with DevOps in its mature state, Federal agencies have the momentum to embed security into the approach, creating a new DevSecOps model that transforms security into another enabler for the business.
Embracing DevSecOps allows Federal agencies to:
- Drive agile development
- Bring all stakeholders to a high level of security understanding in a short period of time
- Ensure security is "baked in" from the beginning
Things you can do right now
Whether your organization is ready to embrace DevSecOps now or not, every agency can benefit from a close examination of current applications security practices. To balance business needs with security risks start by focusing on these key areas:
Set and enable standards
- Develop a secure technical architecture integrated within the overarching business and security architecture.
- Identify the necessary training and tooling to enable developers to effectively implement standards
Model threats to assess risk
- Gain an understanding of the context in which an application will be used and the infrastructure in which the application will operate.
- Assess the likelihood that a system will be a target and developing appropriate safeguards through threat modeling.
- Develop security testing approaches that can be included in automated testing scenarios.
Test to identify vulnerabilities
- Make testing a part of every development sprint.
- Use basic testing to identify and flag areas with common mistakes, complement this with static application security testing (SAST, or "white box testing") to see if the application can be penetrated.
- Implement dynamic application security testing (DAST) to evaluate security when an application is running.
Ensuring cyber resilience
Security by design, DevSecOps, is one of the five essential technology pillars needed to shift the balance of power away from our adversaries and tip the scales in our favor.
In our Cyber Moonshot paper we outline our thinking about each of these pillars.