If your car was recalled multiple times each year to fix critical safety flaws that made it unfit for the road, you'd be furious. Why do we allow the equivalent in our software development then?
Statistics suggest that we're setting an unconscionably low bar when developing software. A survey by Immersive Labs found that four in five developers knowingly ship code with vulnerabilities, often due to pressure from higher-ups. That points to a dysfunctional system. This is an issue the Biden Administration has sought to address in a recent Executive Order.
The dysfunction lies in a lack of alignment. Software development has multiple stakeholders, including coders, senior managers, customers and financial controllers. They have different agendas that often pull in opposite directions. When security problems emerge, they all blame each other. That's not sustainable.
We can begin to fix this problem by convincing all stakeholders, from DevOps teams to C-suite executives, that everyone is responsible for security. Everyone must do their part to promote it as a priority in the software development life cycle (SDLC). That means sacrificing time and effort to support secure development, which could mean pushing back delivery deadlines.
Refocus on Process and Tooling
A focus on security also means investing in the right procedures to support secure software development. This means moving beyond DevOps, a discipline that closes the gap between development and operations by re-engineering and automating processes shared between the two. We must make security a key part of that automated process in a discipline called DevSecOps.
What kinds of security procedures and standards can we codify in our SDLC? Training in secure coding best practices is a good place to begin, and standards like the OWASP Top 10 can help here.
We also recommend building automated tools into the development process to help deliver more secure code. Code analysis tools can scan committed source code for vulnerabilities while scanning third-party libraries used in your code will help catch vulnerabilities in your software supply chain. You can automate these tests in a gated continuous integration and deployment (CI/CD) process to prevent releasing code that doesn't meet these security benchmarks.
Just as with vehicles, baking quality control into the development lifecycle won't entirely eradicate production flaws. Just as vehicle components still occasionally need recalling, software will sometimes need patching. When bugs arise, though, we can apply security disciplines to squash them quickly and effectively.
A mature approach to remediation begins by designing modular architectures for easier updates. It also includes approaches to patching, such as team swarming that accelerate remediation for faster fixes. Building pipelines that support rapid deployment helps to get those fixes out.
Trust No One
These security practices are a great start, but they assume that everyone using the development tools is legitimate. That isn't always the case, as the SolarWinds development breach and other recent incidents have taught us.
We must remove implicit trust from our software development environments and replace it with zero trust disciplines that verify a user's identity and context. We should score each developer's risk profile during sessions using contextual pointers such as the device they're using and the network they're accessing from.
Security measures to protect account credentials such as multi-factor authentication and anti-phishing tools will help, as will endpoint protections including patching, mobile threat defense and privilege management.
These end-to-end security measures may seem burdensome, but they're critical. We can make their implementation easier and more consistent by integrating them within an IT service management framework. That will unify all tasks and their supporting data into a single dashboard to improve productivity and ensure nothing slips through the cracks.
As these integrations become more mature, teams can begin building in more sophisticated AI technologies to handle repetitive data-intensive tasks such as security scanning. This will free up IT teams to refine their software development further still.
There's too much at stake to let software development security languish any longer. Following the worst cyber-attack on the US government in history, the Biden administration is taking this problem seriously. The president has considered cybersecurity ratings for US software, and his Executive Order on improving cybersecurity ushered in new requirements for secure software development standards that will affect federal procurement, and therefore the entire market.
With cybersecurity risk rising and governmental regulations looming, the best time to secure the SDLC was yesterday. The next best time is now.