The way we develop software has been radically transformed in the last few years. Agility and speed are vital components for any company that wants to compete in the market. In order to achieve that it has proven necessary to break down barriers. The idea of separate silos with developers, operations, testers, and management working in isolation, sometimes even in opposition, is dated and flawed.
We’ve accepted the logic of bringing development and operations together with the DevOps movement. The recognition that testing is required earlier in the process has come. Now it’s time to apply the same logic to security. It’s time to bring InfoSec into the fold.
Trends like cloud computing, big data, SaaS, and the BYOD end of the mobile revolution have created new opportunities for increased efficiency and productivity, but they also represent unique challenges for security. Sensitive data, financial information, and intellectual property are all exposed to risk when security is a secondary concern.
The issues that splashed back from the waterfall model for testing apply to security as well. Only passing applications through the QA process at the end of production, when time pressures to release were the greatest and it was too late to make significant changes, resulted in fixes being more expensive and software quality suffered.
If we don’t integrate security testing into the development process and make it part of the software development lifecycle now, then we run the risk of encountering exactly the same problem. We waste time retro-fitting functionality that should have been there in the first place, and we all know the pain of securing a hybrid system with legacy software that wasn’t designed with modern security threats in mind.
Automation for testing has enabled developers to move towards a continuous delivery system where new features can be rolled into live software as they are created. How do we ensure that security is maintained?
Bringing InfoSec on-board from the outset will help you build security considerations like this into your development pipeline. It will save time and money in the long term.
It’s important to model potential threats and test for them, but you must be aware that new threats evolve and emerge all the time. Dedicated InfoSec employees will continually research and explore the new trends and risks in the security industry. Opening a direct line between DevOps and InfoSec enables them to pass along that wisdom and fold it into the mix when it’s relatively cheap and easy to do.
The security testing in your development pipeline is no more static than any other element. It has to be continually reviewed and modernized to ensure it continues to deliver results. Continuous real-time monitoring will deliver the oversight you need.
There’s no question that cyber-attacks will come, but if you prepare properly you can detect and nullify them with minimal effort. When considering the investment now, you must factor in the cost of lost confidence, post-mortem forensic investigation, and significant redevelopment to close any gaps in your defenses in the event of a future breach.
Once you have built solid foundations for security in your application development they will benefit every project going forward. Taking a long term view makes financial sense and results in better quality software.
By Michelle Drolet, Founder and CEO, Towerwall
Special to DevOps.com