In the current environment, it is wise to incorporate security into your software development lifecycle as early as possible. Historically, security checks were a pre-release gateway for a software team: if you passed, your product/service could go to production. At the same time, security checks used to require a code and environment freeze, while audit preparations led to chaos and a non-systematic approach in collecting important security documentation. All these elements led to a bottleneck for the project team. However, a long wait for security testing results is no longer an option since the typical project pace has significantly increased. Various project models suggest their own approaches for introducing security into software development.
For example, in the Spotify model, it is recommended to look for “security champions” - active members of a team with dotted-line reporting to a central Security Team. Classic scrum-based models assume that a project team and product owner are responsible for cybersecurity. The main question is how to achieve acceptable results since most developers are not security professionals and only a few have security knowledge. Consequently, each project requires dedicated security specialists.
Why do we need security experts on our projects? As mentioned above, only some developers can boast any expertise in information security. Moreover, it would be almost impossible to pass an external audit for compliance with common regulations without security specialists on your team. For example, one globally known PCI DSS regulation requires companies to to develop applications securely, design and implement secure Cardholder Data Environment as well as perform regular vulnerability scanning, penetration testing, and security code reviews. Having a security expert on a project is also a competitive advantage since providing security by default opens the doors for large projects and contracts.
Let’s see how we can integrate a security team in a scrum-like process. There is a strong need to work on security at an earlier stage in the development cycle (requirements stage), even before any coding. The approaches to building a security process differ from company to company, but the goal of the process is to design and implement software that protects the company’s data and resources, meets security requirements, and is resilient in the face of security vulnerabilities and failures. Many companies call this process “Security Assurance”. Following are the typical steps to take in setting up a Security Assurance process:
- Compliance management. It is best to start with regulation identification relevant to the product/service, then move on to gap analysis and response statement preparation. It is also necessary to model the set of technical controls and address any gaps for security requirements in a product/service.
- Threat modeling and risk assessment. Set up a process by which potential security threats can be identified and enumerated. Once this is done, a project team should understand what the risks are and identify the potential impact of these threats. All these answers could help in planning mitigation controls and reducing the probability of any security breach.
- Security requirements management. Here we take into account existing security requirements and policies together with security best practices and risk assessment results. It is important to integrate all of these into development and configuration guidelines as well as ensure that each security requirement is addressed properly in user stories. This involves business analysts who work closely with security teams in order to avoid missing anything.
- Security architecture reviews. Security reviews are designed to discuss mechanisms suggested by the team and analyze whether they address the security requirements previously defined. The team could further work to identify relevant security mechanisms and controls and customize them according to project needs. Examples of such features and controls are public key infrastructure, cryptography and secrets storage, authentication services, access control, and security event logging. In addition, security experts are also available for ad-hoc consulting sessions and security onboarding as well as education for team members.
- Security testing by QA. The aim of such an exercise is to close the security verification gap since only QA can validate how the security requirements have been actually implemented in the software. One might ask "why should QA do this when we’ll be conducting penetration testing?” However, the goals and methodology of penetration testing are different - the pentesting team sees only the tip of the iceberg (and they could also have no time to perform in-depth testing, as the scope of a pentest is usually limited to a specified time frame). In contrast, regular QAs can perform a subset of tasks that are typically run during the pentest, either during every release or significantly ahead of it. That would help software go into production much quicker since a pentest would likely result in fewer issues and the team would already be prepared.
- Prerelease security verification. This is a standard set of security testing activities that includes secure code review, pentests, and infrastructure audit.
This list could be longer. Depending on the budget and stakeholders' decisions, it could also include an Automated Security Testing initiative known as DevSecOps, which integrates security checks even further into the development flow, or mandatory security education as part of project onboarding procedures - each person should complete general security and compliance awareness training and role-specific courses.
Overall, setting up the Security Assurance process establishes a systematic, risk-based view of cybersecurity. It offers benefits to any business:
- Security Assurance minimizes the risk of security pitfalls, meaning less frustration for your clients. Sometimes a sophisticated Security Assurance program guarantees protection against lawsuits.
- Security Assurance thoroughly prepares your company for any incoming security audits.
- Dedicated security specialists can save your project teams from boring security tasks.
- Your solution will be indeed more secure.