Security controls and tests have never been the easiest things to incorporate in the software development lifecycle (SDLC) — but as application security grows in importance, some changes in the way software gets made are making security integration more difficult than ever.
The Agile methodology, especially when combined with a DevOps paradigm, embraces speed, making it much harder to get strict security controls in place. In light of this difficulty, "Secure Agile and DevOps: How it Gets Done" — a new webinar sponsored by CA Veracode and Dark Reading — explores the issue and provides advice for CISOs who are struggling to ensure AppSec's priority in this new development environment.
For many enterprises, security and development have long been at odds — set up almost as adversaries instead of teammates. Security testing would take place during the QA phase, but with this testing being conducted so late in the process, issues that were found were not always release blockers. As a result, software with glaring security issues would often move into production for business reasons.
The advent of Agile software development only further complicates this situation. With Agile, software is released much more rapidly, because the paradigm focuses on small changes to the code being made in very short time frames. DevOps adds a layer of complexity, as in this environment, development and operations work side by side within a single team to move releases into production as fast as possible. If steps aren't taken, security concerns can fall by the wayside in the rush to get software out the door.
CA Veracode and Dark Reading's webinar looks at this complicated situation, using industry experts to break down the security issues that the rise of Agile and DevOps are causing, and to provide advice for CISOs on how to effectively manage the trend. While no panacea exists, there are several steps CISOs can take (in conjunction with development managers) to make the transition to Agile easier and ensure security remains in the conversation. Here are three such steps:
With traditionally large development organizations breaking down into smaller Agile teams, it's more important than ever to view security as integral to the SDLC, rather than as a step taken at the end of the development process. CISOs have to work to make security a team effort, injecting security measures and testing into the earliest parts of the lifecycle and getting input from across the organization.
CISOs should develop a security champion within every development team, as this will help make security an active part of each discussion during Agile's frequent small meetings. Likewise, the security team needs to make an effort to understand the overall SDLC so that their policies and practices fall in line. Incorporating the voices of development, operations and management into the security team will also generate higher compliance numbers.
Under an Agile development methodology, security teams can no longer only concern themselves with tests and compliance. Security tests and controls have to be inserted into the SDLC, which means security teams must learn and adopt their organizations' development practices.
The insight gained will not only enable stronger collaboration between teams, but it will enable security teams to inject solutions directly into the tool chain. This will make using these solutions more standard, enabling security teams to then replicate them across their organizations. Eventually, they'll become a part of each Agile team's tool kit.
Nothing will sideline security faster than policies that don't align with the needs of the business. There must be some give-and-take between security and development so that large vulnerabilities can act as release stoppers, but more minor issues can be fixed at a later date. These policies, which will also cover how secure code should be written in the first place, need to be crafted with significant input from development teams to ensure they are on board when it comes to compliance.
Likewise, the security team needs to develop a set of smart measurables so the C-suite can be kept up-to-date on how secure released applications really are. Existing measurables, like vulnerability density and incident metrics, are not perfect — but they do provide some insight into long-term trends within the business.
These are just a handful of the ideas and concepts expressed in Dark Reading and CA Veracode's webinar. Any CISO currently struggling with the shift toward Agile, or those worried about a future shift, can gain valuable knowledge from watching the entire webinar, as the insights come from experts who have dealt with this exact issue and found a way through to ensure speedy code releases with the proper security integration.
Photo Source: Flickr