6 security risks in software development and how to address them

0
79


CIOs and their IT departments face significant business pressure to modernize applications, improve customer experiences, migrate applications to the cloud, and automate workflows. and comprise the cultures, practices, tools, and automations that enable software development teams to achieve these goals and deliver business value with greater quality and in faster release cycles.

The most advanced development teams have fully automated with integrated and deploy with . They connect change management and incident management workflows with agile development tools and use to find the root causes of production issues faster.

Yet security issues in software development persist. In , only 36% of respondents rate their application security program a 9 or 10, while 66% said that application security tools protect less than 75% of their codebase, and 48% acknowledged that they push vulnerable code into production regularly.

These security shortcomings are not for lack of technology, consulting, or security service providers. The identifies more than 3,500 potential security partners. Ultimately, the key to delivering business value while minimizing security risks in sofware development is clearly defining security principles and communicating them to software development teams.

Here are six risks that CIOs and IT leaders should focus on and ways to address them.

Risk #1: Not treating security as a first-class devops citizen

It’s easy to say the organization puts security first, and many organizations do follow . But with infosec often understaffed compared to the number of development teams, it’s easy to see how other business and priorities dominate agile team backlogs and why security practices are not adopted uniformly across the organization.

and so that infosec can flag higher-risk features and user stories early in the development process.

  • Record and publish sprint reviews so that infosec can watch more of them and flag risky implementations.
  • Require that all newly developed APIs, microservices, integrations, and applications instrument the required security tests in their CI/CD pipelines.
  • Defining principles, ensuring cross-team collaboration, improving culture, and promoting team happiness may be the most important ways CIOs can contribute to improving software security. In the , happy developers proved to be 3.6 times more likely to pay attention to security.

    , which sometimes leads teams to implement code-intensive solutions that introduce security risks.

    Agile development teams should begin by asking the product owner questions about feature priority and negotiate its scope and requirements. One way to do this without being confrontational is to enforce rigor in and so that complexities get exposed before coding begins.

    Once the team agrees on priorities and feature scope, development teams should consider where they can leverage third-party technologies in the implementation. The review should include , open source libraries, commercial frameworks, public cloud services, and software-as-a-service tools. 

    , only 72% of respondents report having a policy on open source use, and only 64% reported having an open source governance board. That’s only the tip of the problem, as 16% of respondents believe they can fix a critical open source vulnerability once identified.

    or other . 

    Clearly defined policies, governance, and management practices around open source usage, tool selection, and technology lifecycle management are needed to mitigate risks. But organizations differ on best practices; some lean toward more openness and others toward less risk tolerance and stricter procedures. To strike a balanced policy between security and innovation, CIOs should establish a multidisciplinary team to define governance procedures, practice standards, tools, and metrics.

    Having tools that integrate developer capabilities with security best practices can alleviate some of the challenges of selecting open source components. Jay Jamison, chief product and technology officer at , shared this insight regarding Quick Base’s approach to innovating with open source:

    “We are an early adopter of , which makes it easier to root out vulnerabilities in open source projects managed on its platform. This is an important step to moving security earlier in the software development lifecycle, or as it’s known among developers, shifting left.”

    Risk #4: Unfettered access to source code repositories and CI/CD pipelines

    Securing in-house software used to amount to locking down version control repositories, scanning code for vulnerabilities, defining minimum privileges to facilitate deployments, encrypting connections, and running penetration tests. Locking down the network and infrastructure was a completely separate security realm involving separate tools and disciplines managed by IT operations.

    Today, there are more risks and more tools, but also better integrations. I spoke to Josh Mason, VP of engineering at , about Cherwell’s approach to securing code. “At Cherwell, we layer automated static analysis security testing (SAST), dynamic application security testing, and human-driven penetration testing, which in unison tend to improve productivity. Implementing SAST as part of the CI/CD pipeline moves the discovery process further left in the software development lifecycle, resulting in quicker and less expensive resolutions,” he said.

    Mason also recommends locking down the version control repository. “Taking guidance from the zero-trust model and the principle of least privilege is a good practice that limits access to source-control repositories and its functions. Source control repository [solutions] such as Azure DevOps, GitHub, Bitbucket, and others provide fine-grained user permissions to limit developers — or whole development teams — to a smaller portion of the codebase related to their work.”

    Rajesh Raheja, head of engineering at , a Dell Technologies business, recommends several security disciplines where development teams should take responsibility. “If the software isn’t developed properly, the security risk is magnified at a scale far greater than if an individual system was breached. You can mitigate risks by securing the CI/CD pipeline, locking down systems with the principle of least privilege, implementing secure workarounds for automation with multifactor authentication, driving security awareness within the team members, and developing secure coding practices.”

    Risk #5: Securing and managing sensitive data

    Although many devops teams are versed in security practices for developing, testing, and deploying applications, they must also layer in security practices around data management and . 

    Chris Bergh, CEO of , explains the issue and an approach to automating more data operations security. “Data privacy and security challenges prevent companies from monetizing their data for competitive advantage. Manual processes can’t address the issue — there is simply too much data flowing too rapidly to cope with it. Datasecops is a methodology that automates data privacy and security, integrating privacy, security, and governance into automated workflows that execute alongside data analytics development, deployment, and operations.”

    The main dataops challenge for CIOs and IT leaders is adopting , labeling sensitive data, and educating developers and data scientists on acceptable data practices. Centralizing identity management, defining role-based entitlements, and masking sensitive data in development environments are important data security and data privacy practices.

    Managing sensitive data goes beyond data security. For example, many companies, especially those in regulated industries, must capture data lineage showing who, when, where, and how data changes. These companies often utilize data integration and data management platforms that have built-in data lineage capabilities.

    Risk #6: DIY security expertise and solutions

    My approach to managing risk and security has always been to seek advice from different experts. Security threats are growing in intensity and complexity, and it’s unlikely that most organizations have all the required expertise. Furthermore, when security issues do arise, having a list of people to consult with on reducing risks, addressing issues, collecting forensics, and shoring up vulnerabilities is critical to minimizing the impacts.

    Although tools and practices help CIOs address today’s issues, we need the experts to help with the next set of security challenges.

    Copyright © 2021 IDG Communications, Inc.

    LEAVE A REPLY