Richard Wheatley
Whether it is personal banking, accessing government services, controlling the heating system in our homes or running our relationships, we are increasingly dependent on software applications to run our daily lives. The impact of any associated security breaches range from the inconvenient to positively damaging. As a result, product teams—be it in starts up, corporate organizations or vendor organizations, have a great responsibility to ensure that these software applications are secure and remain secure throughout their lifetime.
Furthermore, product teams face this particular challenge against a back drop of increasing complexity and velocity in the form of delivering reduced time to market and more feature rich interactive user experiences, within a dynamic environment in terms of the tools and techniques and deploying into an ever-changing infrastructure predominately represented by the World Wide Web. As a result, to ensure the software applications that we have become so reliant on, are secure and remain secure throughout their lifetime, we need to adopt a security-first approach.
A security-first approach means putting security front, right, left, and center of everything, and encompasses a mindset, job performer skills, methods, and organizational design. Individually, we need to understand at all levels what that means at the job performer level. That could be a user interface (UI) designer considering the security implication of a feature, a developer implementing the principal of least authority to user authentication, a SQL developer crafting a minimal query on a dataset, or an architect working on a strategic product vision. We should not be constrained by the security-first approach, on the contrary we should be liberated. For a UI designer it should not be a tradeoff between usability and security first, but an opportunity to find complimentary solutions such as biometric recognition.
We must move beyond DevOps to a DevSecOps model, where we build security into the traditional DevOps process enabling test automation, continuous integration, and deployment.
We should endeavor to remove silos wherever possible particularly with reference to the security department or groups who must move beyond the compliance model, to support the rest of the organization to reach a security-first perspective, through training, awareness, and continuous vigilance. We need to move from a generic sense of application vulnerabilities, to a specific real time assessment of our application's vulnerabilities.
We should seek ways in which we can move away from multi-disciplinary teams of people from different disciplines working together, each drawing on their disciplinary knowledge to interdisciplinary teams of people integrating knowledge and methods from different disciplines, using a real synthesis of approaches.
We must leave the theoretical arguments aside and accept that 84% of security breaches occur as a result of social engineering and privacy and security are inextricably linked. We must invest time in updating an individual's awareness of the latest patterns and threats. We must be aware of new vulnerabilities such as Differential Privacy, a product of big data, and its associated techniques that ensure that large data sets can be queried without compromising an individual's privacy. That is to say we need to allocate time for people to assimilate new tools and patterns and understand where to apply them within a security-first context.
We need to move away from the traditional product development cycle, with the implications that products are developed deployed and transferred to a Business As Usual (BAU) support team doing occasional updates and bug fixes.
Commercial sponsors need to embrace mature Total Cost of Ownership (TCO) models, that address the total lifetime of a product, without the need to factor in the costs of a security breach. Product teams are under significant pressure to build applications that are secure and remain secure throughout their lifetime, however this challenge can be met if we adopt a security-first approach.