This is the second installment of a six-part series offering guidance to CISOs who tell us finding success in the world of application security is a lot like trying to survive in the “Wild West.” After listening to their individual concerns and challenges, we’ve decided to share our unique insights on how these digital frontiers can be tamed and what it takes to become an effective security pioneer in this modern age.
Last week, we talked about the need for a new sheriff in town, specifically in the form of a cultural shift known as DevSecOps. Based on the guiding principles of this discussion, we know CISOs make up a growing community of industry leaders looking for effective ways to incorporate security into development and operations. But we have yet to explore how this push towards secure DevOps can, in fact, create a loop of continuous security when implemented throughout the software development lifecycle (SDLC). If secure DevOps is the local sheriff, the SDLC is the American Frontier itself. And CISOs need to understand every square mile of this digital landscape if they hope to secure it.
A Massive Territory
Instead of the plains, mountains and deserts that make up the wide and varied landscape of the West, in software development you’ve got code, build, quality assurance and production. And all of it must be secured against the many vulnerabilities “roaming” this massive territory.
To establish security throughout the entire SDLC, CISOs essentially need to build a transcontinental railroad, albeit in more of a loop formation. To establish consistent and continuous security, they will need to “lay the track” to bring greater alignment along the SDLC, from start to finish, and implement security as early as possible within the process.
Pockets of security, albeit helpful, are not enough to protect organizations from serious threats on the horizon. The good news is, building this track of security throughout the SDLC creates consistency, where DevSecOps can achieve its full potential. And the steam power for this initiative comes from three main areas: automation, orchestration and governance.
Automation enables you to replace manual work with security tools and frameworks, which complete specific security tasks. It ensures those activities are performed with more speed, precision, flexibility and accuracy. And it allows developers to focus on their primary function without abdicating responsibility for software security.
Orchestration, along with automating individual security tasks within the SDLC, is what brings everything together into a cohesive process. Risk-based vulnerability orchestration enables the simultaneous completion of multiple tasks by classifying and organizing processes, workflows and business risk. This is what facilitates the broader configuration, coordination and management of security across the entire SDLC—and ensures security arrives at every important stop along the way.
Governance provides a framework for the consistent prioritization and mitigation of risk across the SDLC. It offers the necessary context to better understand your security posture and where danger on the tracks might be hiding. Strong security governance ensures appropriate controls are in place, so you can drive the locomotive with confidence while also reassuring key constituents, such as customers, regulators and the board. For security leaders, these imperatives often translate into challenges. When organizations are looking to accelerate software release cycles and implement CI/CD pipelines, CISOs must ensure their existing security governance frameworks—including tools, processes and policies focused on continuous delivery—can keep pace with these new demands.
Test at Every “Station”
Once your track of continuous security is built, you’re in a position to identify vulnerabilities at each “station” along the development lifecycle. You can also more easily see the gaps in your security tools and have the ability to fill in these gaps with open source tooling. Finding vulnerabilities sooner means fixing them sooner—and with less cost. To do this, you need application security testing all the way through, from code commit to build to deployment.
Vulnerability management orchestration is important here, too. Each testing tool delivers a large amount of data in its own format, which is difficult to correlate and prioritize. And there will be overlaps across the tools, so what looks like multiple vulnerabilities could actually be the result of a single issue. With proper orchestration, vulnerabilities are prioritized and refined for remediation, optimizing development time by consolidating units of developer work and delivering actionable risk intelligence which aligns to business priorities.
Staff Your Line With Security “Conductors”
The ideal scenario is to give developers the tools and knowledge they need to create vulnerability-free code right from the get-go. But as we know, this can feel like an unrealistic goal. Not because developers are incapable—they don’t want to write unsafe code—but because software security is highly complex and ever-changing. Traditionally security has been considerably slower than DevOps processes, which creates a conflict of priorities. Accelerated development? Or strong security? While automating security and enabling developers as much as possible is great, dedicated security professionals are still an essential part of the team.
No matter how security-savvy your developers become, they are still first and foremost developers. Team members who are primarily security champions play an important role. To stay with the railroad analogy, they’re the conductors on the SDLC line. A conductor is a crew member responsible for operational and safety duties that don’t involve the actual operation of the train itself.
Security champions stay ahead of developments in the software security world, from new threats to emerging tools and technologies. They can help interpret the results from your tools and continue to improve DevSecOps workflows and controls. And there will always be outliers—unexpected problems popping up which are particularly difficult to chase down and resolve. Putting a security expert on these cases can help prevent them from disrupting release timelines.
The Transformational Power of Early Integration
The transcontinental railroad was built to open up the Wild West to more rapid development, and it transformed the American economy. Likewise, integrating security into the SDLC across the entire process, as early in the process as it makes sense to, opens up your business to more secure rapid software development. With integration across the lifecycle, using appropriate automation and orchestration, governance, testing tools and expertise, you’ll transform development and your business. And you’ll live to fight another day.