If recent news headlines have proven anything, it’s that all companies—both large and small—are susceptible to massive breaches if they don’t take the necessary precautions. No matter how many security scans, pen tests and standard measures your company has in place, you can never be too cautious—particularly when it comes to your software development process.
Here are three things you should consider to secure your software development process:
Using the CARTA Framework
Gartner proposed the CARTA (Continuous Adaptive Risk and Trust Assessment) framework which I believe can help to adapt to an ever-changing security landscape. This framework, recognizes a key challenge in that digital business transformation is moving full speed ahead, with or without information security and risk people, processes and infrastructure being ready.* Using the framework can not only help you manage and respond to risks more effectively, but it can also keep your development process grounded in agile, adaptive practices. And, despite CARTA being fairly new in the risk and trust assessment arena, I think it’s a framework that’s showing plenty of promise and growth for DevOps.
Adding Security to the Dev Team
Adding a security expert to your development team is one more skillset the development team needs to deliver production-ready and secure software. Why? Because involving your security expert at the beginning of development will help the team identify security risks in the product backlog much earlier in the cycle. To hold teams accountable for high-risk security issues early on, your security expert needs to accomplish two things: Adding requirements to user stories as acceptance criteria and adding security requirements to your team’s definition of done.
To help your Product Owner prioritize securities, use analytics from monitoring software to identify high and low-priority security risks. You can base this prioritization on CARTA, or another risk and trust assessment framework advised by your organization’s governance.
Once these security requirements and standards are part of your process, team members can secure software delivery in ways that work well for the product team—such as automating highly prioritized security requirements. For example, let’s say a team wants to create test automation that checks for encryption levels of storage: this kind of automation is run frequently throughout a day (maybe in a build or release), catching issues before they are pushed to production—so automation becomes a massive time-saver.
The best structure for integrating security into your software development process is one that includes agile practices. CARTA assumes continuous adaptation to risks and complements agile practices; meanwhile, agile assumes an informed product backlog and embraces changes in the development process. So, when your security analysis reveals a security risk halfway through your new release, using a combination of agile practices and a risk and trust assessment—like the CARTA framework—gives teams a way to get the new security defense into the release faster.
When it comes to software development, security is no longer an afterthought—it’s a top priority. Use these three tactics to secure your software development process, and you’ll be much more effective in responding, adapting to, and resolving security risks.
*Gartner, Seven Imperatives to Adopt a CARTA Strategic Approach, 10 April 2018