An athletics footware manufacturer has a slogan that says, “Just do it.” It’s also a command that leaders of some organizations issue to their applications developers.
However, if application security isn’t rigorous and disciplined just getting it done will lead to risks to the enterprise. That’s why the DevOps movement, which emphasizes collaboration between developers and IT is so important.
Jim Ivers of Cigital, which offers a number of services including application security testing, argued in a column this week that successful development teams must have a software security group (SSG) and a software security initiative (SSI).
An SSI is the set of activities necessary to build security into the development process, rather than the reactive process of bolting security onto existing software. The SSG is the group that makes the SSI work. As Ivers describes it, the software security group provide policies and processes, and liases between development team and IT Security.
Successful software security means testing applications to get results that are observable, measurable, and consistent. And without a formal and disciplined approach your group isn’t going to get that.
“For firms with an SSI/SSG, habits and process are the critical success factors,” writes Ivers. “Staff is not only trained, but incentivized to raise their security IQ. There are clear paths of communication between the security team and the developers. Experienced organizations learn that security is not a drag on performance, but can provide productivity gains by eliminating security vulnerabilities early in the development process. Effective metrics are produced to demonstrate to management the value of the program and reduction of risk.”
It’s imperative that DevOps teams cut the number of flaws in code. There are any number of tips, tricks and lists of ways to avoid security design mistakes. One of the most recent was issued by the IEEE last fall, and the SANS Institute has a list of the top 25 software errors. But unless there is a disciplined software development process teams will still churn out applications that have too many bugs.