We are in a day and age when every business needs to build an online presence and those that do not go online are facing intensified risks of going out of business. Most organizations have teams dedicated to developing software/ web application/ digital products in keeping with the organization’s needs, context, and image. However, not many understand that application security needs to be an integral part of the Software Development Life Cycle (SDLC), especially because of the ever-increasing risks associated with insecure software/ applications/ digital products. Put differently, just like any other core functionality, security cannot be sprinkled at the end of SDLC; the repercussions of doing so are cumbersome and costly.
Earlier, security assessments and other security-related activities in the Software Development Lifecycle would be conducted only in the testing stages, which is after development and coding are complete and right before the release of the product/ application. This last-minute security approach would often bring up too many issues, too late. In cases of hurried release, the vulnerabilities and issues would not be fixed before release. This, in turn, led to high application security risks.
With the secure SDLC approach, security is made an integral part of every stage of the development process from architecture, design, coding and planning to integration, validation, operations and decommissioning.
The application/ digital product/ software may contain inherent bugs, loopholes, weaknesses, and vulnerabilities that may be overlooked by the developers who are working against tough deadlines. These are often leveraged by cybercriminals to orchestrate attacks/ data breaches through SQL injections, access violations, buffer overflows, etc. Making security an integral part of coding, design and all other stages of development, we can ensure early detection of flaws and vulnerabilities and their timely and effective resolution. As a result, you can minimize the costs of application/ software development, as well as, the business risks involved.
Security-focused design, development, and testing requires everyone in the development team to be aware and fully updated on secure coding practices, best frameworks available from the security perspective, vulnerabilities and weaknesses that are inherent in different frameworks, etc. To improve the security posture of the organization, you must upskill your developers and testers on security best practices and ensure that they are able to make security an integral part of their everyday work. Organizations must foster a security mindset amongst their developers who are often faced with and focus on aggressive deadlines.
For instance, using open source frameworks without known vulnerabilities and misconfigurations, as well as, copy-pasting codes are detrimental to application security.
Not every developer has the knowledge and skills to conduct comprehensive, nuanced, proactive and effective security-focused testing. Security-focused testing is a specialized skill set and requires separate effort in the QA cycle. Employ security specialists or onboard security-as-a-service providers to help you bring agility and security expertise into the QA cycles.
Application security and security assessment should not be a one-off effort, but an ongoing process right from the planning and architecture stages through production, development and QA stages. The DevSecOps Approach ensures that everyone in the development process is responsible for security. It leverages automation in scanning and security assessments to make the process seamless and scalable, reduce the time spent on back and forth between developers and testers and improve speed and agility of delivery without being haphazard about security.
An ideal team structure for secure SDLC/ DevSecOps must include developers, lead developers, technical security officers, DevOps and DevSecOps engineers, testers, operations and monitoring engineers and agile coaches. By leveraging services of security auditors and pen-testers (external/ consultants), the organization can further improve the level of security.
Ashish Pradhan is responsible for all technology functions like engineering, client services and customer support at Indusface. Prior to joining Indusface, Ashish held various senior leadership roles at Symantec Corporation in India and USA. During his 25 years of global experience in the software industry, Ashish has helped create and grow a broad variety of software products spanning systems management, IT compliance, and information security domains.