Nov 21, 2018
No organisation or development team wants an insecure software development process. Unfortunately for many organisations, that's just what they have in place. Insecure development occurring across multiple teams, all using a mix of different techniques and practices to develop a "secure" application. The most secure software development lifecycles are in our experience built on top of three key pillars, and in today's post I explain the three pillars, and each one's importance in your organisation's security efforts.
When it comes to application security, standards are an enabler. Without standards, your development team (both internal and external) won't clearly understand what's expected of them, and your development activities end up perpendicular to your security policies, compliance mandates and requirements. Secure development teams have clearly defined standards that they fully understand, that they can reference throughout the software development lifecycle, as and when they need to. Without secure development standards, it's impossible to build secure applications with any meaningful scale.
It should come as no surprise that secure development teams are well educated in security. Without adequate training and education, more vulnerabilities will make their way into your developed applications, which escalates your remediation costs. Remember that the later in the software development lifecycle a vulnerability is found, the more expensive it is to resolve. Security education shouldn't just be treated as a "one-off" for development teams, either. The most secure development teams receive ongoing training, and have access to computer-based training materials they can reference and learn from in their own time. Security best practices constantly evolve, and a one off half-day course just doesn't cut it. Are your development team(s) receiving regular security training? If not, why not?
Assessment represents the final pillar in the secure software development lifecycle. Assessments are crucial for identifying vulnerabilities and problems with your software development process, so that you can eliminate them. Assessments can be run on single software applications, a portfolio of applications, the entire software development lifecycle, or on your IT infrastructure itself. Effective assessment should always have findings that will help you to direct future security investments and prioritise remediation. The most effective development teams use an ongoing combination of security code reviews, penetration testing and threat modelling. The Three Pillars offer an excellent model for analysing security adoption within your organisation. If the model is new to you, have a think: which of the pillars are we using effectively, and where do we need to invest? No development lifecycle is perfect from a security standpoint, and every company will have its strengths and weaknesses.