Updated: Oct 25, 2021
It's very crucial that software security matches the lightening speed of modern software delivery, otherwise our software users pay the price for insecure software.
I often have the privilege of meeting the founders of innovative software companies and consultancies. And I quickly realized that although software leaders want to release secure software, sometimes they have an understandable concern that security is a heavy and expensive process, filled with hurdles that slown down innovation. As such, there can be perceptions like:
"It's too early for us to think about software security"
"We'll handle security when we get traction"
"We don't have the budget for that now"
The perceptions described above are not baseless. Years ago, software development moved in the steady step-by-step format of the waterfall model i.e. we create all our architecture upfront, we design specifics, we scope the work, we code, we test, we release... we're done!
As you probably know too well, those days are long over. Agile software development introduced a very iterative nature to software development where all or some of those waterfallish steps occur in multiple, iterative, and incremental cycles. With test-driven development, you write your tests before you code. And with DevOps, a lot of the code integration, compilation, test, and release steps are automated!
The problem is that software teams still come across security experts who advocate a heavy step by step security review of software artifacts, and require tons of documentation from software teams. Additionally, a one-size fits all security process or framework is often tacked onto disparate software companies or projects.
As you'll agree, this is a mismatch.
A Better Way To Build Security In
A few days ago, I had the opportunity to discuss this problem at FutureCon , with my dear friends Anmol Misra, Brook Schoenfield, and Mike Skurko. Anmol is a Senior Director of Security at Autodesk, Brook is a Chief Software Assurance Strategist at TruePositive Security, and Mike is a Founder and Principal of PRE Consulting Inc (a sales firm for early stage cybersecurity companies with multiple successful exits).
It was a fascinating and illuminating conversation, and I want to share a few core principles that could be helpful to your company in any future software security endeavors.
Culture: Software security experts are to be partners not inspectors. The role of software security is to come alongside the software leader and their team, to empower and enable the team to build and ship secure software. We don't get to stand back to dictate requirments and then match in as inspectors. Instead, we are collaborators in the innovative process. The security processes and tools must fit into those of the software teams.
Program: The security program must match the stage, maturity, and needs of the product or business. There are very few places where one-size-fits-all works, and software development is not one of them. The needs of a startup are different from the needs of a major corporation. Similarly, the security needs of an MVP are different from those of a beta release which are different from the needs of flagship product with thousands of users. The design and implementation of a secure development lifecycle (SDL) - and the cost of creating or running it - must take things like these into consideration.
Contextual Automation: Is a must have. Just as modern software development and release is highly automated, security must be as well. The good news is that there are an increasing number of security tools that bring security analysis automation to different areas of software like architecture, APIs, code health, thirdparty component health, software testing etc. Additionally, modern security tools integrate well into the CI/CD pipeline, delivering the right information at the right time to the right people.
Automation: Is not a holy grail. As much as automation helps, it will be unhelpful for software teams to expect to automate away all security effort. DevOps automates lots of software development processes, yes! But software development remains a craft that requires "manual" human creativity and insight. Software security is the same. AI may change this for software innovation in general, but we're still a long way from that.
Secure By Design: Choose Your Software Stack Wisely. Secure By Design often refers to the process of designing and building security into a consumer or B2B software product. Interestingly and wonderfully, this principle has been properly applied to some of the software building blocks of software development i.e. programming languages and cloud platforms. This means that wise choices in your software building blocks can reduce the time and cost to make your software secure.
Cost: The longer you wait to add security, the more expensive it will be. As tempting as it is to leave software security till a convenient time, research shows that this is often the more expensive approach. That isn't surprising since bringing in security later usually means re-architecting and re-designing. An alternative approach is that once you have a stable architecture or a stable software path that you're going to follow (even for an MVP), you should start engaging your security team/ partner/ consultant so you can proactively do the right thing for the stage you're at.
"On the last point, I must confess that what got me interested in software security in the first place is that years ago, as I deployed a startup app that I and my boss had sweated on, it was hacked. Instead of the press carrying the news of the launch as we had planned, they carried the news of the hack." - Damilare
Why Resilient Software Security Exists
Our mission is to partner with software innovators, empowering them to create and release secure software that protects customers and boosts trust. We're uniquely skilled at software security strategy, design, and operations, as-a-service. We meet you where you're at, and leverage over 60 years of combined experience to get you where you need to go.