Software quality and security are about addressing the needs for mission assurance, which requires an outcome-based focus on software assurance and cyber security throughout the life cycle. To scale and respond to operational needs while reducing technical debt, aerospace and defense organizations must automate the collection and reporting of standards-based measures, especially in a DevQualOps or DevSecOps environment.
Reduce the cost of quality and deliver new capabilities faster
The primary recommendation is to reduce the cost of quality and deliver new capabilities faster. One way to do this is by “shifting left”—performing security activities earlier in the software development life cycle (SDLC). To reduce software failures, developers and DevSecOps teams should:
- Address security as part of quality defect prevention
- Automate quality in workflows by using tools with security domain checkers
- Understand how key CWEs and CVEs are exploited to turn a weakness into a vulnerability
- Minimize failures by mitigating weaknesses (CWEs) and vulnerabilities/exposures (CVEs)
- Leverage the CISQ Automated Source Code Data Protection Measure
- Minimize risks attributable to open source software modules and libraries
Benchmark against peer organizations
Another recommendation is to benchmark against peer organizations using the Synopsys “DevSecOps Practices and Open Source Software Management 2020” report. The recommendations of that report include:
- Use DevSecOps tools.
- Secure the entire SDLC.
- Manage open source code selection, governance, security, patching, and sustainability.
Identify weaknesses, vulnerabilities, failure symptoms, defects, and improvement targets
The CPSQ report also recommends overcoming the “lack of understanding of internal functionality” in legacy systems by identifying weaknesses, vulnerabilities, failure symptoms, defects, and improvement targets:
- Rehost to move systems from the mainframe to the cloud.
- Replatform to speed code execution on new hardware.
- Refactor to reduce technical debt and future failures.
- Create SBOMs for all network-connected assets to enable resiliency in a changing threat environment.
- Use relevant standards such as ISO/IEC 25010 and the OMG Automated Source Code Quality Measures from CISQ.
Employ quality practices
In addition, the CPSQ report recommends employing quality practices:
- Prioritize needs and requirements.
- Control scope changes and minimize complexity.
- Plan for defect fixing and refactoring.
- Establish rigorous quality gates.
- Test components early and often.
- Invest in quality engineering tools.
Automate quality in workflows
The final recommendation is to automate quality in workflows by using tools with “security domain checkers under the hood” that enable organizations to select tools and services for their continuous integration/continuous development (CI/CD) pipeline. Synopsys offers quality tools and services to automate software development.
Synopsys offers quality tools and services to ‘shift left’ and automate quality software development: