November 20, 2024
PART 1 – Navigating security challenges: The Secure Software Development Lifecycle meets DevOps
2 Minutes
A security-enabled development lifecycle
Ensuring secure processes during each phase of software development ought to be standard practice. But pressures on the pace of development tend to infect the development lifecycle with bad practices, resulting in some or all development phases lacking critical security perspectives and/or appropriate security controls. This may expose the entire development process and its output to potential security breaches and vulnerabilities.
The development lifecycle generally includes the following phases: planning, design, implementation, testing, release/deployment, and maintenance. Individual DevOps models may use slightly different terminology, but regardless of what these phases are called within an organization, the appropriate security measures should be identified, planned for, and embedded into each phase, creating a security lifecycle that mirrors the development lifecycle.
The common anti-pattern is for measures to be implemented for only some—or in the worst cases, none—of the phases of the security lifecycle. Fortunately, there is a movement in the industry to “shift left”: to take security into account earlier in the software development process.
There are prerequisites to be considered before implementing a formal methodology for secure software development. As mentioned, a security vision and leadership support are critical and generally require some level of training for upper management. The scope of the training depends on the organization, but management ought to have an overall idea of what a SSDLC (Secure Software Development Life Cycle) means, what it involves, and most importantly, why it is necessary.
A familiarity with key terms used within the selected security methodology is also useful. Training and awareness are fundamental building blocks for establishing and strengthening the security culture of an organization. The scope of such training and training-related metrics are a subject for a different post.
In Part 2 we’ll delve into phases of secure development lifecycle …
Jari Mannonen is working as the Head of Cyber Security Development at Piisku. He has over 20 years of consultancy experience in business-critical information technology and application architecture, with a focus on cybersecurity.
In this article, we have used AI-generated images.