Regulations, such as those finance and healthcare must adhere to, are put in place to protect people's data. Patients, customers, employees and anyone else whose sensitive information is stored and transmitted generally don't like having it improperly handled. Makes sense, right?
While real-world examples vary, and most sets of regulations cover far more than customer data alone, that basic principle makes security compliance an all-the-time concern no matter what niche your software fills. (And that's year-round compliance, not compliance that you scrambled for in the days leading up to an audit.)
The secret to treating compliance with the respect it deserves, as detailed in a Veracode case study, is a systematic approach to building secure software that protects people's data. Here's a quick look at how automated security platforms can help you get there.
The Expanding Perimeter
Between internally used apps, customer-facing software and all the other code organizations run as a basic means of doing business these days, it's fair to say the expanding perimeter (that is, the growing collection of sites, apps and software under a given company's banner) is a massive area of concern with regard to security compliance.
Wanting to avoid the issues that can come with a faulty perimeter, the company represented in the case study sought out Veracode as a means of whipping its suite into shape as a one-time fix — a quick visit to ensure its perimeter of apps was up to snuff when the PCI auditor came around.
The company quickly discovered that wasn't an optimal solution, for all the reasons stated above and more. And the first conceptual step to securing its entire perimeter was a consistent, automated approach to locking down its security.
Automate and Educate
Emphasis on automate. Security is largely a game of repetitive tasks and constant vigilance — two things computers happen to be excellent at handling. That's why automated security platforms such as Veracode's have a number of advantages over ad hoc security compliance measures that are handled exclusively by humans and in-house tools.
First among those advantages is consistency. Because automated platforms can apply the same policies to all code, whether it comes from distributed offices or even third-party contributions, the organization highlighted in the case study was able to apply the exact same scrutiny to every program on its perimeter, where relevant. Not only does this ensure the same rules are upheld, but it's also great for making sure any changes are implemented across the board, saving the company from the headaches that can happen when definitions aren't updated when they should be.
That consistency helps when it comes time to evaluate and educate the people putting the code together, too. Like scanning every bit of software on a company's perimeter for security issues, monitoring every engineer in an organization for security competence can be a tall task for humans alone. With an automated platform, the same tool doing the checking also monitors developers for security skill, recommends relevant trainings and so on, ensuring the same costly errors don't cost the company's time and resources again and again.
Big-time, security-impacting errors are never cheap to fix, but they're less expensive if you catch them early. This basic idea butts directly against the old-school "test-fix-deploy" system, since security testing is treated as a stop in the software development lifecycle — specifically, one you make when you're mostly done with the coding part of the process.
With an automated system, code (including code from third-party submitters, thanks to static application security testing) is effectively checked all the time, making security issues easier, cheaper and faster to catch and remediate.
From a security compliance standpoint, this allows organizations in heavily regulated industries to quickly check all the existing apps on their perimeter, then apply intense scrutiny to works in progress and fast-iteration projects as they're being built. For a company looking for a fast, flexible way to respond to security issues and ongoing compliance concerns, that's a major improvement over the old way of doing things.
Whether your industry is heavily regulated or lacks regulation altogether, make sure you're looking into a regimented approach to security — the problems that stem from laxity go far beyond fines and missed certifications.
For the company in the case study, going systematic brought several tangible benefits that went beyond simple compliance. Check it out for more advice, and some eye-opening numbers on what a systematic approach can do for your own compliance efforts.
Photo Source: Flickr