If your car was recalled several times a year to correct critical safety flaws that made it unsuitable for the road, you would be furious. Why do we allow the equivalent in our software development then?
Statistics suggest that we set an unreasonably low bar when developing software. A survey carried out by Immersive Labs find that four in five developers knowingly ship code with vulnerabilities, often due to pressure from their superiors. This indicates a dysfunctional system. This is a problem that the Biden administration sought to resolve in a recent executive decree.
The dysfunction lies in a lack of alignment. Software development has multiple stakeholders including coders, senior executives, customers and financial controllers. They have different agendas that often go in opposite directions. When security issues arise, they all blame each other. It is not sustainable.
We can start to solve this problem by convincing all stakeholders, from DevOps teams to senior executives, that everyone is responsible for security. Everyone must do their part to promote it as a priority in the Software Development Lifecycle (SDLC). This means sacrificing time and effort to support secure development, which could mean pushing back delivery times.
Refocus on process and tooling
Focusing on security also means investing in the right procedures to support the development of secure software. This means going beyond DevOps, a discipline that bridges the gap between development and operations by reorganizing and automating the processes shared between the two. We need to make security a key part of this automated process in a discipline called DevSecOps.
What types of security procedures and standards can we codify in our SDLC? Training in secure coding best practices is a good place to start, and standards like OWASP Top 10 can help here.
We also recommend incorporating automated tools into the development process to help deliver more secure code. Code analysis tools can scan validated source code for vulnerabilities, while scanning third-party libraries used in your code will help find vulnerabilities in your software supply chain. You can automate these tests in a Controlled Continuous Integration and Deployment (CI / CD) process to prevent the release of code that does not meet these security criteria.
As with vehicles, integrating quality control into the development cycle will not completely eliminate production defects. Just as vehicle components still need to be recalled occasionally, sometimes the software will need to be fixed. However, when bugs do arise, we can apply security disciplines to eliminate them quickly and effectively.
A mature approach to remediation begins with designing modular architectures for easier upgrades. It also includes remedial approaches, such as team swarming which speed up remediation for faster fixes. Building pipelines that support rapid deployment achieves these fixes.
Don’t trust anybody
These security practices are a good start, but they assume that anyone using the developer tools is legitimate. This is not always the case, as we have learned from the SolarWinds development violation and other recent incidents.
We need to remove implicit trust from our software development environments and replace it with zero trust disciplines that verify a user’s identity and context. We should assess each developer’s risk profile during sessions using context pointers such as the device they are using and the network they are accessing.
Security measures to protect account credentials, such as multi-factor authentication and anti-phishing tools, will help, as will endpoint protections, including patches, mobile threat defense, and management. privileges.
These end-to-end security measures may seem overwhelming, but they are essential. We can make their implementation easier and more consistent by integrating them into an IT service management framework. This will unify all tasks and their support data into a single dashboard to improve productivity and ensure nothing goes through the cracks.
As these integrations mature, teams can begin to integrate more sophisticated AI technologies to handle repetitive, data-intensive tasks such as security analysis. This will allow IT teams to further refine their software development.
There is too much at stake to let software development security languish any longer. In the wake of the worst cyber attack on the U.S. government in history, the Biden administration is taking this issue seriously. The president has taken cybersecurity assessments for U.S. software into account, and his cybersecurity improvement executive order introduced new requirements for secure software development standards that will affect federal government procurement, and hence the whole market.
With increasing cybersecurity risks and the threat of government regulations, the best time to secure the SDLC was yesterday. The next best time is now.