Typically, the goal of continuous security monitoring is to ensure that applications remain in compliance with your security policies -- even through expansions, upgrades and patches. Committing to continuous security monitoring practices almost always means making changes as an organization. While those changes don't have to be difficult, they can certainly look that way from the front lines, especially if your company relies on those two little words that have become SOP in software development: distributed workforces.
Regardless of the software you're buying, selling, licensing or using internally, almost no code is developed by a single group. And while it may be easy for an organization to make changes where it has direct control, getting independent organizations on a company's payroll to comply with your policies and procedures can be a hair-pulling problem all its own.
Here's some advice for making a large-scale shift to continuous security monitoring easier based on Veracode's recent work with a global bank.
If you've managed people or projects for very long, you know it's a lot easier to measure improvement and demonstrate success if everyone is working toward the same goal. In this case study, you see that basic idea on a very large scale: By convincing business units, first-party development teams and third-party providers to work toward the same security goals, the bank saw massive increases in efficiency and overall security when it came to testing internal (and later, external) software products.
The more you can consolidate and centralize your policies and success goals, the better. Whether you're talking security or good old-fashioned business sense, it doesn't get much more straightforward than that.
Continuous security monitoring via the cloud promotes consistency. Cloud solutions enable first- and third-party teams across the globe to check and share their work using the same tools, helping homogenize combined submissions and test bits of code earlier than manual testing allows. Once everyone is following the same process, the power of automation can kick in. Automation shrinks the time spent on doing the testing, ensures software is tested the same way, and compared against the same policies and methods no matter where the software comes from. This removes the specter of human error from the process.
Aside from the obvious benefits that come with hardening your application layer, a cloud platform enables you to resolve errors earlier — which almost always means a cheaper fix. Throw in the benefits of automatically checking known vulnerabilities from popular third-party and open source "building blocks" (libraries, APIs and frameworks, to name just a few), plus the time and money saved by not having to install, maintain and license traditional on-premises security software across multiple offices, and you have a solution that makes sense no matter how many teams are working on a given project.
The advantages that make automated, cloud-based platforms great for continuous security monitoring also apply to managing human assets, especially as it pertains to monitoring their performance.
Building a set of reliable metrics and accurately reporting them is next to impossible without a centralized system in place. With one, ensuring first- and third-party developers the world over follow the same guidelines becomes an afterthought. Combined with on-demand remediation, the bank from Veracode's case study was able to drastically lower in-house training costs and keep its third parties motivated to provide secure code at less cost — a reciprocal positive that will extend through every step of a given product's lifecycle.
Implementing a cloud-based continual security monitoring platform requires some communication with experts, but bringing them in to handle more of your security needs beyond that is the best way to ensure your products are as secure and financially efficient as possible.
In its case study, Veracode handled several aspects of the large bank's overall third-party vendor management, helping it set up ongoing rules for validating its offerings. It also helped the firm refine its business practices as they pertained to security, right down to specifying contractual details with third parties and defining how departments could best work together. No single employee or department could do all that — and that's before considering the huge cost that would come with building a similar platform in-house. By enlisting help from a third-party security firm, the bank got the best of several worlds.
Bringing continuous security monitoring to an entire organization doesn't have to be a massive undertaking. If anything, making the decision to get serious about changing is the biggest step. Now that you've done that, reach out and leverage the experience and expertise of others to help you go the rest of the way. With help, you can get every group working toward the same goal — and under the same secure mindset.
Photo Source: Wikimedia Commons