/feb 6, 2015

Series Introduction: Performance and Scalability Keep You Safe at Any Size

By Evan Wade

There's a reason scalability is such an important concept on the development scene. When you've spent years devising and revising a set of practices, even small changes to the status quo can cause serious personnel-related and financial disruptions. That's why any support product that grows to meet an organization's expanding needs is instantly valuable to bean counters and code wranglers alike.

But performance and scalability are just as important to us security-minded types as they are the rest of the development world. This is the first post in a series designed to demonstrate how well secure practices and products scale — and teach you how to scale them. To start, here's a high-level look at some of the topics you can expect to see in the coming weeks:

1. Distributed Organizations and Centralized Policies

Consistent policy management, a huge aspect of secure development, can be a challenge in a traditional workplace. But managing policies when you're in charge of a distributed workforce — let alone a growing one, as many software companies are these days — can be a nightmare.

This series will show you how centralized policy management promotes performance and scalability by enabling consistency in the distributed workplace. In holding employees at all locations to the same set of policies and practices, you ensure every part of your product is engineered the same way.

2. Performance and Scalability by Role

Similarly, staying consistent across all the roles required to build a secure piece of software is another major challenge for both enterprise app development and InfoSec. Developers, compliance managers and security executives all have different roles vital to keeping a product secure, and making sure those individual employees adhere to the larger framework is crucial.

In another post in this series, you'll find a breakdown of the various roles a company could have and those it may add in the future, plus learn about the responsibilities each role must adopt to keep products secure.

3. Scalability and Repeatability

Whether you're working with 10 developers or 100, repeatability is important for proper testing and analysis. Making sure developers — many of whom aren't primarily focused on security — understand the testing tools and their results enables you to hammer out possible security issues as soon as possible.

In other words, repeatability is key to implementing a properly scaled security culture across your development teams, be they across the world or internal. One part of this series will offer ideas on the benefits of this mind-set and discuss practical tips for creating repeatable testing methods.

4. Agile Development Means Performance and Scalability (and Security!)

You've heard it before and you'll hear it again: "Agile" does not have to mean "insecure." As a methodology designed to scale with an organization, in fact, it's the perfect complement to a security-minded development organization.

Another post will discuss how to blend security testing and remediation into an existing set of Agile processes, ensuring you can get a secure product out the door without sacrificing speed or performance. Whether you've made the switch to Agile or you're just thinking about doing it, keeping secure (at every level) is pivotal — and this series will show you how.

5. Remediation and Coaching

Continued education and training are expensive and time-consuming tactics, but they're also necessary. The good news? Done properly, training a handful of employees doesn't have to cost much more than training an organization full of them, largely thanks to automation and expert input — two key tenets of scalable security.

This post will discuss how to bring on-demand remediation and coaching to your workplace, a practice that'll help your developers fix any problems a third-party security platform identifies.

6. Built-In Analytics

How do metrics help promote security? Lots of ways. From a management perspective, they're a way to show employees where they're improving or excelling — and where they need to refine their work. For employees, they afford a continuing sense of motivation. And for organizations as a whole, they present a way to track a given project's security performance with tangible figures.

This article will discuss the benefits of built-in analytics and some best practices for using metrics to get good results out of employees — no matter how many you happen to manage.

(Much) More to Come

Of course, one teaser can't begin to cover all the forthcoming material in this series. But one common thread you'll find is this: No matter your size, your finances, what you build or who you build it for, a secure development mind-set isn't as unobtainable or expensive as you may think. Follow along, and you'll learn exactly what that means.


Related Posts

By Evan Wade

Evan Wade is a professional freelance writer, author, and editor from Indianapolis. His time as a sales consultant with AT&T, combined with his current work as a tech reporter, give him unique insight into the world of mobile/Web security and the steps needed to properly secure software products. Follow him on Twitter.