Software-Defined Security Governance: The Market Shift

Written by

Digital transformation drives organizations to software-define every aspect of what they deliver to customers, from infrastructure to networking and more.

While software security is a term that has seemingly plateaued, making its way through industry analyst reports and deemed yesterday’s news by some, organizations are still lagging and feeling the business impact that ignoring this crucial part of the software lifecycle (SLC) brings with it.

Every business today is truly a software business, and businesses want to roll out new things to customers as quickly as those ideas come to them. This means deploying software and updates rapidly. It is important that the rest of the business moves at this cadence: that means providing visibility into security risk at the speed of delivery, so that risk decisions can happen before change exposes the business beyond their tolerance.

The Building Security In Maturity Model (BSIMM) and other data show organizations going beyond striving to meet the cadence of development with vulnerability discovery. They are utilizing software-orchestrated security telemetry to replace human elements of security governance.

To put it in more simple terms, organizations are choosing to bake security into the software development lifecycle (SDLC) from the start so that vulnerabilities can be identified and remediated as early as possible to reduce risk.

Forward-looking organizations are looking beyond vulnerability discovery that they can fit within the development lifecycle, and augment this approach with telemetry that they can pull from running software and infrastructure. Introducing these continuous sources of security data provides actionable and pertinent perspective that complements information gleaned during development.

The Ultimate Money Pit: Vulnerability Discovery Tools
Traditional vulnerability discovery tools are costly to own and maintain, largely due to the manual and siloed efforts that are required to use them properly. The cost problem with these tools is of dual nature:

  1. Roll out – Any new enterprise tool comes with on-boarding costs, and vulnerability discovery platforms are no different. Significant time and resources have to be dedicated to closely manage the roll out and general maintenance to ensure that the new tool fits the very specific needs of the business. With the majority of enterprises having multiple scanning tools that are responsible for different aspects of the development process, bringing on a new tool can drain a good amount of resources before generating portfolio-wide visibility.
  2. Day-to-day – Organizations are often surprised to find that the time and resources required to roll out a new tool are also frequently required on an on-going basis to keep that tool functioning and tuned for changing technology stacks and security standards. Add to the cost of on-going maintenance the cost of triaging avalanches of results, managing remediation of issues that pop up and also closely tracking how the remediations are impacting the rest of the SDLC, this is a tedious workload.

Without identifying and working towards resolutions for the above problems, organizations are at a significant disadvantage -- negatively impacting their security budgets and overall security posture.

The Transition Security Governance Needs
Historically, organizations would augment a SDLC with security gates, applying security governance through assurance at each phase of the lifecycle in lockstep. Create code, stop, test it; compile code, stop, test it; then deploy code (to staging), stop, test it. 

Forward-thinking security initiatives are evolving along with development cultures. For security to keep pace with business application delivery, they are converting the “stop and scan” model into leveraging continuous security monitoring of both code and systems. They are then combining these views into a more holistic perspective of the risk that a business application faces, and conducting risk management as soon as that visibility becomes available.

When continuous visibility is combined with the ability to seamlessly remediate issues, applying controls through continuous integration or deployment pipelines, leveraging cloud management or virtualization guardrails or through control planes that dynamically apply security controls in production, firms can control cost issues associated with traditional security governance.

Also, organizations can move quicker to deliver functionality, confident that their visibility into changes in security posture will keep pace and allow proactive risk management – a true win-win scenario.

Why Is This Significant?
By automating the mundane parts of security governance, organizations are able to effectively reduce enterprise risk, reduce cost and build security into the SDLC to enable development to progress at the speed of the business without neglecting security.

Software development is crucial to the success of businesses across every major industry, but it could come with serious security concerns if decision makers aren’t careful. Practically everything else is software-defined across the organization. Security governance should be no exception.

What’s hot on Infosecurity Magazine?