TALKING business
‘‘
In 2020 , organisations have been faced with the prospect of months of staffing and Business Continuity challenges . Concurrently , cyberattacks by opportunistic hackers and cybercrime groups looking to profit or further disrupt society are on the rise . Organisations must ensure the software they build and operate is secure against these increasing attacks , even as their available security resources may be decreasing .
And a remote workforce is only one of the challenges organisations face in terms of securing their digital properties and sensitive data . While many companies want to invest in security , they may not know where to start . After all , it ’ s a challenging endeavor to identify where and how to secure your most valuable or vulnerable projects . It ’ s a daunting task . However , by tactically addressing their security testing capacity , staff skills and software supply chain risks today , organisations can respond to resource challenges now while fundamentally improving the effectiveness of their AppSec programme going forward . Here ’ s how .
Establish a benchmark and mature your strategy
Get started by gathering a full understanding of what your organisation ’ s security activities involve . The Building Security In Maturity Model ( BSIMM ) is not a how-to guide , nor is it a one-size-fits-all prescription . A BSIMM assessment reflects the software security activities currently in place within your organisation . Thus , giving you an objective benchmark whereby to begin building or maturing your software security strategy . The BSIMM , now in its 11th iteration , is a measuring stick and can be used to inform a roadmap for organisations seeking to create or improve their SSIs , not by prescribing a set way to do things but by showing what others are already doing .
Previous years ’ reports have documented that organisations have been successfully replacing manual governance activities with automated solutions . One reason for this is the need for speed , otherwise known as feature velocity . Organisations are doing away with the high-friction security activities conducted by the software security group ( SSG ) out-of-band and at gates . In their place is software-defined life cycle governance .
Another reason is a people shortage – the ‘ skills gap ’ has been a factor in the industry for years and continues to grow . Assigning repetitive analysis and procedural tasks to bots , sensors and other automated tools makes practical sense and is increasingly the way organisations are addressing both that shortage and time management problems .
But while the shift to automation has increased velocity and fluidity across verticals , the BSIMM11 finds that it hasn ’ t put the control of security standards and oversight out of the reach of humans .
Apply a well-rounded risk mitigation strategy
In fact , the roles of today ’ s security professionals and software developers have become multi-dimensional . With their increasing responsibilities , they must do more in less time and while keeping applications secure . As development workflows continue to evolve to keep up with organisational agility goals , they must account for a variety of requirements , including :
• Real-time visibility into what software and services are running , as well as associated environments and configurations
• Insight into running software ' s composition
• Automatic execution of at least the minimum required vulnerability discovery testing with each release , with results provided directly to bug tracking systems
• Aggregation and search of operational data for meaningful security information across a value stream
• Traceability of running services to the repositories , build and team that produced them
• Enabling engineering teams to remediate security defects
• Updating network , host , container or application-layer configuration through orchestration
• Automatically invalidating and rotating sensitive assets within a deployment
• Automatic fail-over / rollback to working assets or known-good working configuration / build
This is the reality around which organisations build and / or consume software . Over the years we ’ ve witnessed the use and expansion of automation in the integration of tools such as GitLab
Adam Brown , Associate Managing Security Consultant , Synopsys
for version control , Jenkins for continuous integration ( CI ), Jira for defect tracking and Docker for container integration within toolchains . These tools work together to create a cohesive automated environment that is designed to allow organisations to focus on delivering higher quality innovation faster to the market .
Through BSIMM iterations we ’ ve seen that organisations have realised there ’ s merit in applying and sharing the value of automation by incorporating security principles at appropriate security touchpoints in the software development life cycle ( SDLC ), shifting the security effort ‘ left ’. This creates shorter feedback loops and decreases friction , which allows engineers to detect and fix security and compliance issues faster and more naturally as part of software development workflows .
More recently , a ‘ shift everywhere ’ movement has been observed through the BSIMM as a graduation from ‘ shift left ’ – meaning firms are not just testing early in development but conducting security activity as soon as possible with the highest fidelity as soon as is practical . As development speeds and deployment frequencies intensify , security testing must compliment these multifaceted dynamic workflows . If organisations want to avoid compromising security and time to market delays , directly integrating security testing is essential . www . intelligentcio . com INTELLIGENTCIO
39