Building security into the software development life cycle (SDLC) has become a common practice in many organizations. While security activities reduce security risks and implement compliance-focused requirements within software, they also require time and effort. Development teams are very feature and delivery driven. Requiring additional time and effort make security activities a low-priority, if even in consideration at all, on many developer’s mind. This is why minimizing the impact from security activities on delivery velocity becomes a key issue for an organization to address when implementing a secure SDLC.
Maintain velocity during development
Each security activity requires skilled resources, training, a goal-oriented process, tools and support. It’s important to consider the readiness of an activity before rolling it out to the development team. Performing these activities in an effective and efficient manner can minimize the impact on the velocity of development. On the other hand, an ill-planned security activity can impact the project schedule or even disrupt the development process.
The following strategic approaches can improve the effectiveness and efficiency of security activities, minimizing impact on the velocity of development.
- Training – Security activities are generally uncharted territory for most roles within a development team. Awareness training on the security activities involved in the SDLC can help reduce the fear and uncertainty on the development team. Role-based security training can equip analysts, developers and testers with proper knowledge to conduct the security tasks related to their roles.
- Automation – Security activities such as secure source code review or penetration testing can be automated. For example, source code scanning can be incorporated with the continuous integration process. Additionally, a dynamic application scanning tool can help identify many frequently occurring security issues in an application.
- Developer tools – Developers are crucial within any SDLC and produce the main artifact of a project: the production source code. A security tool that integrate into the development environment, such as Code Sight, provides on-the-spot identification of design flaws and code vulnerabilities, and provides highly relevant secure guidance to the developer.
- Standardization and scalability – Security requirements and architecture risk analysis (ARA) are hard to scale to multiple projects due to the lack of tool support and the requirement of highly experienced resources. These activities can rely on standardization to provide scalability. For example, the core set of security requirements are usually common across an organization. If a standardized set of security requirements have been established, and applicability criteria developed, project teams can map the criteria to the project requirements and identify the majority of security requirements. ARA and its sub-activity, threat modeling, are activities which are also challenging to scale. There is a multi-pronged approach to tackle this scalability issue.
- Establish security architecture blueprint – An organization can establish a security architecture blueprint containing a set of security architecture patterns and their reference implementation patterns to share across the enterprise. In doing so, development teams no longer need to redesign the same security solution again and again. They now have clear solution pattern to follow and implement. Shared libraries can be developed and tools introduced to benefit all projects across the organization.
- 80/20 rules – For 80% of less critical applications, a lighter weight analysis known as a security architecture survey can be performed by the development team using a strategically designed questionnaire. For 20% of the critical applications, intensive ARA may still be necessary.
- Support – It’s very hard to change the development habits in a project team due to their training and experience in feature delivery. Security activities are acquired habits for them. Allocating proper resource to support the development team with process, tools and mentorship are meaningful approaches to ensure the smooth delivery of a secure software system on schedule.
Building security activities into an SDLC is a complex undertaking. A well-planned and properly supported set of security best practices can reduce security risks and implement compliance-focused requirements within the software. Proper training, automation, developer tools, standardization and support are key ways to become effective in performing these activities and reduce the impact on development velocity throughout the SDLC.