Secure Development

22 July 2020/ Uncategorized

Application Development has for many years and still remains regarded by some as a Black Art, taking a special skill that only a select few individuals possess.  Sure teams of individuals can try and replicate the Black Art, but they still struggle to attain what a “single mind” of an expert architect or developer can achieve backed by a skilled and dedicated team. Now bring in the requirement to combine the skills of the expert developer or architect with the knowledge of security that can protect against a dedicated hacker, and the threshold requirements for success become exponentially higher for organisations wishing to create secure applications that delight users and customers.

That is where ISG come in. We have dedicated ourselves to the niche described as Secure Development, or more fully described as development on secure platforms using programming standards, methodologies and tools based on the latest research into secure development.  To assist our clients we work with the advanced methods and tools, combining both Open Source and proprietary technologies within an Agile framework. Using tools like SBM, Dimensions and Fortify from Micro Focus for maintaining control over development activities, our consultants use a secure development lifecycle focussed on delivery of well tested code that conforms to secure coding standards established by Microsoft and OWASP. For further details visit www.microfocus.com www.microsoft.com/en-us/securityengineering/sdl www.owasp.org

Some of the key challenges I am seeing regarding development projects are:

  1. Lack of structure in managing documentation associated with major changes to either packaged software or custom development projects. While the base software packages are usually well documented initially, with ongoing changes across multiple areas (often simultaneously) this well documented base can be quickly lost without good structure around how documentation is maintained and linked back to coding modules.
  2. Use of Coding Standards which donot incorporate appropriate secure coding practices nor practices around regular auditing and testing of code throughout the project design and construction phases. The rush to Agile practices can lead to a lack of planning which is essential to adopting a multi disciplinary skills approach required to implement secure development practices, with separate teams for development and security and quality assurance.
  3. DevOps is an emerging practice which requires the traditional functions of “Operations” and “Development” to work together smoothly in order to deliver continuous changes to production rather than “Staged” releases of bundles of changes. This is replacing the idea of “Agile” which was a concept applied mainly to development describing how teams of personal deliver regular generally smaller more frequently than waterfall models. These changes in models applying to how work is done in IT is creating tensions in many organisations seeking to improve co-ordination with and support for new business initiatives and demand for changes to existing applications.

With these emerging challenges security is often overlooked until it is too late. This leads to the implementation of new applications which have less than optimal security and creates a need to retro fitting changes into new applications.  This is akin to the local utility ripping up the brand-new foot path laid by the local council to lay new service lines because of poor planning across organisations.

There is no single answer to addressing these challenges. A good place to start is to understand the level of maturity of practices the organisation wishes to target and the timeframe by which you as an organisation wants to implement that maturity. That maturity may differ by process, so undertaking a study to determine the desired maturity levels across the various parts of the IT and Business units is a great place to start.

As part of determining an improvement plan for the organisation tools are often a key part of any capacity uplift. Those tools can range from portfolio management , resource planning, and project management tools, software code management tools, release planning and management tools, and release automation tools to push out and roll back releases into IT environments. Depending on the speed and volume of changes which an organisation wishes to adopt and the size and number of the projects being conducted a different mix of tools could be used to achieve the targeted results. However to assure security within your environment what is critical is that you maintain a considered and planned effort around the changes and consider security as part of your improvement journey.

For more information on how to start considering what your journey could look like and the benefits you will be able to generate please contact John Frisken on 1300 66 33 58 or email [email protected]  If you wish to discuss any parts of this blog article you are welcome to email the writer on [email protected]