Application security

The secure development lifecycle

Caitlin Johanson

Director, Application Security

Blog Images 2021 Caitlin Johanson quote

DevSecOps is mission-critical to enterprise resilience

Whatever tolerance we had for failure has been turned upside down in the cloud. The consequences have never been greater. So, what’s the solution? As made clear in Coalfire’s latest Cloud Advisory Board (CAB) Securealities report, smartest path to DevSecOps transformation, nothing is more important to enterprise sustainability than the modern discipline of building security directly into the software development lifecycle.

The cloud’s impact on the speed of development combined with an ever-expanding attack surface compels CISOs and InfoSec professionals to adopt steeper, faster learning curves and new AppDev best practices. The top takeaways for achieving a secure reality from the report are:

  • Inject security from the outset of all software development
  • Embrace the mindset that attacks are inevitable
  • Build executive buy-in by tracking business KPIs (not just security metrics)
  • Perform threat models to mitigate risks before writing any code

Modern development discipline

The increased risk exposure and expanding attack surfaces in hyperscale, multi-cloud environments have virtually eliminated the margins of error we used to take for granted. With all the commercial gains achieved from the cloud’s ability to reduce IT friction, there is no turning back.

Most product development teams are not used to the continuous creation and destruction that cloud workloads deliver, but they need to be. Our challenge is managing a constant emergence of risk while taking full advantage of the cloud’s transformational security capabilities.

Security must be injected into the first sprint, and within every scrum and epic thereafter. The cloud is driving the final leftward shift to a best-practice methodology of DevSecOps, and the continuous integration and deployment of security into development lifecycles.

Embedding security into the secure development lifecycle (SDLC) – elements of success:

  • Executive buy-in/support
  • Dedicated application security resources
  • Shift-left security (DevSecOps)
  • Defined secure coding standards
  • Secure SDLC maturity roadmap
  • Application security testing gates
  • Cross-functional communication/collaboration

There’s no future of safe spaces – attacks are inevitable. We must operate under the constant, urgent momentum of detection and response.

Executive buy-in

The reality is that the perception of risk is more differentiated than the actual risk itself. CISOs need to develop their intuition in this regard and be able to clearly articulate to executive leadership why their risk needs to be prioritized and show how to integrate those priorities at the forefront of product lifecycles.

Common characteristics among threats to business:

  • Continuity after disruption
  • Privacy protection
  • Stock price/market value
  • Ransomware
  • Logistics
  • Supply chain
  • Sketchy/superficial vendors
  • Stolen trade secrets
  • Nation-state actors
  • Brand reputation

CISOs need to be able to show others, often non-technical folks, that they understand the priorities specific to the business and make the case for provisioning and budgeting security into the product development process. You’re good at math, but even better with psychology.

Best metrics for AppSec program success:

  • Number of High / Critical vulnerabilities found in the development process
  • Number of High / Critical vulnerabilities found in production
  • Recurring vulnerabilities found in the development process
  • Number of incidents / service disruptions caused by security issues

By conducting a stakeholder review, business priorities will rise to the top, which in turn will help set precedent and prioritization for identifying development lifecycle vulnerabilities and managing against their perceived threats.

Threat modeling and DevSecOps architecture

While threat modeling is the key to integrating security into development lifecycles, it’s also where most corners get cut. Threat modeling is thinking through how everything from an entire system to a single line of code can be manipulated or attacked, then mitigating those threats before writing the code. DevSecOps instills the demand for continuous risk prioritization, security scanning, testing, and remediation.

Repeating the secure product mantra brings home the point and sets the right tone for what happens in the cloud: everything scales. Continuous, dynamic development across the enterprise is the new norm. This approach trickles down to help establish protocols within software development teams, making security checkpoints foundational to code development.

Something to keep in mind when it comes to secure development – like the 88 keys on a piano, there are millions of sounds and inflections that can be produced. Though incalculable, there’s still a limited framework that the musician must work within.

Threats can be modeled, but every single threat cannot be accounted for. Intuition plays a vital role in strategic risk management. Logical thinking, feeling, choosing, and playing the right notes work together to secure not only the development lifecycle, but the lifecycle of the organization itself.

Check out an interactive experience of the smartest path to DevSecOps transformation.