The best way to solve the software security problem is when and where it starts, right at the software creation phase. Solving the problem after the software is written and deployed is like testing and fixing cars after they left the car manufacturing facility. Fortunately, the industry has already realized this and started integrating security controls and checks early on in the software development lifecycle. Show
Securing the Software Development LifecycleThe first few iterations of securing the software development lifecycle focused on adding isolated activities to the software development organization. When these first few iterations came out, it was a time when most organizations were following a waterfall methodology. One of the popular methodologies to integrate security into the Software Development Life Cycle is OpenSAMM (https://www.opensamm.org/).OpenSAMM defines 12 security practices divided among 4 business functions: Governance, Construction, Verification and Deployment. OpenSAMM goes afterward and describes 3 security practices with each business function.
SAMM OverviewYou can see right away how the methodology makes the assumption that the business functions are nicely segregated from each other. OpenSAMM would work great for organizations that are working using Waterfall methodologies. Another popular methodology is Building Security In Maturity Mode (BSIMM), a popular methodology used by organizations like CapitalOne, Verizon and FreddieMac. Similar to OpenSAMM, the BSIMM framework consists of 12 practices organized into four domains: Governance, Intelligence, SSDL touchpoints and Deployment. Building Security In Maturity Mode (BSIMM)While BSIMM and OpenSAMM focus on integrating multiple security controls into the software development lifecycle (SDLC). Several challenges exist coming to implement these frameworks:
As Brent Midwood puts it perfectly in his article; Security & Development: Better Together
The world of software development where a waterfall methodology dominates and isolates teams working in silos is long gone. Developer-Centric SolutionsSome of the most innovative companies today like Facebook, Google, and Amazon pride themselves in being developer-centric cultures. Developer-centric cultures are more attractive to top engineering talent, one that provides them with mastery, autonomy and purpose is key to building strong engineering cultures. There are several definitions for a Developer-centric culture, but one of the best we heard is “In a “Dev Centric” culture the developer is responsible throughout the product lifecycle, from product definition to maintaining it in production.”
At reshift security we believe that the main reason companies don’t really have a grip onr the software security problem, is not the lack of interest by the software developers, but rather the lack of developer-centric security solutions. Looking at our existing software security problem, getting software developers to embrace shipping more secure code it is often seen as a big “change”. Developers have adopted and promoted several changes before; “API First ”, “Cloud”, and “Serverless” to list a few. Software developers are a smart breed that solve problems for a living. I see a kiss of death when organizations force the solutions that worked for security audit teams, down onto developers and expect them just to adopt those tools and accept that they work for developers. Want to check your projects for free?How Developer-Centric Security Solutions are Different:
Once Google started sending “Fixes” instead of just “Bugs”, developer’s engagement increased dramatically.
Seamless integration into developer’s workflow: most security tools do integrate into developers workflow. Some integrations are shallow and other integrations are not. Most security tools offer some integration into the developer’s tools and workflows, perhaps an IDE plugin or some form of integration into the build process. A seamless integration into development is more than IDE plugins and build integrations. Seamless integration into the developer process is one where the developer almost does not feel they are using anything other than their normal tools, yet somehow they are writing more secure code. ResourcesWhich of the following is the Bsimm domain is aimed at practices associated with analysis and assurance of particular software development artifacts and processes?SSDL Touchpoints: Practices associated with analysis and assurance of particular software development artifacts and processes. All software security methodologies include these practices.
In which NIST CSF tier have risk management practices been approved by management but may not be established as organizational wide policy at this time?Tier 2: Risk Informed
Risk Management Process – Risk management practices are approved by management but may not be established as organizational-wide policy.
Which of the following is the term given to the security model principle that states users are restricted to the minimal set of resources needed to perform their job?The principle of least privilege (PoLP), also known as the principle of minimal privilege or the principle of least authority, is an information security concept. It states that any user, device, workload, or process should only have the bare minimum privileges it needs to perform its intended function.
What type of information might an Isao share?An ISAO is a community of businesses and organizations that work together for the safety of their specific industry and the global economy. They gather data about cybersecurity threats and share it with their members to raise awareness and provide actionable information to help reduce the risk of attack.
|