In order to be more agile and respond to changes quickly, the Business is demanding faster deployments of software so that they remain competitive. As a result, organizations are implementing various Agile software development methodologies. While some methodologies may work better than others, the question is whether or not organizations are delivering software with enough security built-in.
The traditional approach to implementing security in the Software Development Life Cycle (SDLC) results in software being reviewed at the very end and then recycled back into the SDLC to address security vulnerabilities – a costly and time-consuming approach. It also means software delivery dates are often compromised – causing distress to the business and the executive who wants to move more responsively.
According to 451 Research, they surveyed 350 enterprise IT decision-makers across the United States and Europe (focused on organizations that have implemented CI/CD). They discovered that about half of the surveyed organizations achieved an increased speed to market but failed to address application security deficiencies in their workflow. It appears that going for speed in the CI/CD pipeline is often done without security in mind. That leads to more vulnerabilities in the code and increased time and effort to remediate deficiencies (if at all).
DevSecOps advocates that security should be built into each phase of the DevOps pipeline, rather than being applied only to a finished application. This allows the business to manage delivery date for applications with security and compliance is built-in. The challenge is ensuring that everyone along the SDLC is responsible for security and compliance requirements – and that the business can obtain traceable assurance against software security risks.
Considering that most regulatory requirements are not designed to be easily integrated into the software an organization develops, and audits for compliance are only done periodically – it is critical that continuous security be a part of the development pipeline for delivering secure code on time.
An important part of all approaches is to provide the development team with thorough security training and clear instructions on recognizing and remediating flaws appropriately. It’s also important that the most significant vulnerabilities are considered as they have the highest risk of exploitation. Add to this complexity the fact that not all applications are rated equally in terms of risk across an organization.