Continuum Security in collaboration with Micro Focus are thrilled to publish our new whitepaper entitled: A Systematic Approach To Improving Software Security: RUGGED SDLC
In our 24×7 digital economy you should build trust by creating products that go beyond the expectations of your customers for security and privacy. But modern software development is a complex process even for the seasoned professionals. Perhaps not too long in the future, this complexity will only be handled by specialized machines.
That’s why security must be rethought to keep up with the software evolution. Application security vulnerabilities are just defects like any other and every team in the organization around the SDLC plays a role in improving the security quality of the produced software.
We must change the definition of what “good software” is. In the middle of the last century “good software” could be “the one that works”, this concept evolved later to be “the one that works on a predictable scheme”. Later it changed again to fit “the one that works with predictability and flexibility”. This white paper explores how we should change (again) this definition to consider security as an intrinsic quality of “good software”. We’ll also explain some initiatives to support this new rugged model for software security in the DevSecOps era. A few key takeaways:
- We’ll highlight how communication and education should be the core pillars of this change. We need to empower a collaborative mindset between security and the rest of the stakeholders in the process. The Security team should change its mindset to be able to adopt the DevOps culture. That’s why the Security team should speak the same language as developers.
- We’ll show why Architecture-based Threat Modeling is a good framework to share use cases for threats and also for business requirements. Developers are used to working with use cases and with non functional requirements. In this case Threat Modeling can help to get actionable outputs that developers understand and can track with their day-to-day tools, such as issue trackers and sprint planning tools.
- Since the number of threats grows exponentially and resources are limited, tradeoffs must be made. Threat Modeling helps to make better and more informed decisions based on the agreed risk profile for the organization (aligning business, compliance and security requirements). And the best moment to do this is at design time, before you write a line of code, saving expensive and time-consuming changes at the end of the development cycle. Threat modeling can also act as a glue between the rest of the software security initiatives that need to be automated (including SAST, DAST, IAST, and third-party component analysis).
- Security Champions and Bug bounty programs can also help to scale security activities along the pipeline facilitating continuous delivery.
- Start small and gather security metrics to allow continuous improvement of the model, adopting the Agile culture into the security processes as well.
To access this free white paper please complete the form below.