/mar 17, 2015

How to Implement a Secure Development Policy When Each Office Is an Island

By Evan Wade

How to Develop a Secure Development Policy When Each Office Is an IslandQuickly bringing product to market tends to require more tools, skills and chunks of code than a single development location can offer. That basic fact can put secure development policy management somewhere between rocket science and the black arts on the difficulty scale — and as a company expands, it only gets harder. Whipping those external offices into shape from a security standpoint is tricky, and that's before even considering the third parties responsible for parts of a given product.

Fortunately, there's a solution to the chaos that development policy management can represent in a distributed organization. Two words: consistency and scalability.

Internal Tools, Licensing Issues — and How to Avoid Both

You've seen what happens when a company-wide software installation occurs. It can impact every level of an organization: Per-user licenses hurt the bean counters, poor implementation irritates the ground-level troops and management suddenly needs an extra cup of coffee in the morning just to deal with them.

Multiply all those problems by 10 and you have some idea of how internally deployed software for implementing secure development policies and controls can impact a distributed organization. Even setting aside the costs of licenses, there are a billion other questions to account for. Does it offer centralized reporting? Will it run on all our hardware across offices? Will our third parties feel comfortable installing it?  You get the picture.

This is where a cloud-based policy management platform can help. From a scalability standpoint, there are no licensing or installation nightmares to work out when your company adds, say, 20 new developers in an office across the country. Show your new devs the platform and how it works, and boom — you're basically done.

On the consistency side, first- and third-party devs alike can check their work against the same set of policies, interpreted the same way, all on the same off-site hardware. It's easy to see immediate benefits, whether you're having trouble with a multitude of interpretation errors or that one workstation that just won't play nice with existing, in-house security solutions.

The (Ever-Expanding) Costs of Remediation and Compliance

The same qualities make scalable, cloud-based platforms great for reporting errors and helping you plan the subsequent training needed to keep a product in step with internal and external regulations.

Finding the root of a problem can be tough when each office is an island. Then there are third parties, which frequently have their own motivations for concealing employee weaknesses. By covering all developers with the same umbrella, you turn a distributed organization into one big, easy-to-coach family — plus, you make finding errors less of an issue.

Repeated compliance errors trigger all sorts of trouble, so catching the conceptual problems that cause them is key. As noted in a case study, Veracode's cloud-based platform was able to help a large, distributed financial services firm find and coach 122 developers in need of remediation — a major catch in any event, let alone for a company concerned with ongoing PCI compliance. Whether your company is governed by an outside regulatory body or you just want to offer a more secure product from the ground up, that's the sort of thing a cloud-based solution can do for you, too.

Distributed Organizations and the Application Layer

The larger a company is, the harder it is for a single security team to keep on top of every possible back door it may offer potential attackers. Even small, quickly forgotten apps (such as temporary marketing sites) can be points of entry -- and according to IDG Research, enterprises only test 38% of their web applications.

Implementing a cloud-based solution takes human eyes off the discovery phase, allowing automated processes to find things faster than a legion of security experts could. This puts another aspect of secure development policy — namely, fixing problems that existed before your enhanced focus on security — under the same rules and regulations as your company's works in progress, ensuring mistakes made in the past don't come back to bite you in the present.

If you're dealing with a tangled mess of no-longer-useful portals and sites, setting an automated, cloud-based platform to work makes your application layer more secure faster. No matter the size of your organization, removing as many blind spots as possible as fast as possible isn't just good business. It's a necessity.

Scalability and Security

Ensuring and enforcing a secure development policy doesn't have to get harder as your organization becomes more distributed. Putting your firm's every arm under the same secure banner is as easy as taking your processes off-site and automating them — a practice that can immediately motivate employees across an enterprise to work toward shared goals at maximum efficiency. That's the sort of scalability and consistency businesses of all sizes need.

Photo Source: Flickr

Related Posts

By Evan Wade

Evan Wade is a professional freelance writer, author, and editor from Indianapolis. His time as a sales consultant with AT&T, combined with his current work as a tech reporter, give him unique insight into the world of mobile/Web security and the steps needed to properly secure software products. Follow him on Twitter.