Software Integrity Blog

 

Security at speed: Justifying your security program transformation using key development motivators

Security investments require executive buy-in. Learn what key development motivators can help justify your security program updates.

As development speed increases, organizations must devise optimal security programs to match that agile development

As development speeds increase exponentially, organizations often struggle to introduce or maintain security practices capable of keeping pace. Additionally, security teams can find it difficult to get the top-down buy-in and support they need for a security overhaul. So we’re outlining the key drivers and motivators for improving security velocity that you can use to justify your own organization’s security upgrade needs.

Analyzing your current security program

Start with an assessment of your existing security program. This will help give you a prioritized and tailored understanding of your security needs. After you identify the weakest parts of your security program, you can more easily defend changes and their associated cost and resource demands. 

Next, a thorough identification and analysis of your existing friction points can help you uncover key inhibitors and prioritize their fixes. Examine the root cause of development and security delays, any gaps in your existing processes, and delays caused by manual practices. Your focus should be on introducing integrations and automation whenever and wherever possible into your pipeline. 

Reducing costs, risks, and rework efforts is also key. It’s important to define your baseline and measure the volume of rework and how long it takes your team to close rework tickets. You can determine your risk by differentiating between severe and low-risk tickets, and applying your defined risk policies to them. 

Using key development motivators 

Once you understand your weaknesses, you can use motivators specific to your organization to get the support you need to address those weaknesses. There are three overarching motivators you can use to get the conversation going: fulfilling compliance requirements, meeting customer and market quality standards, and performing quality engineering.

Fulfilling compliance requirements 

Security compliance is a legal concern for organizations in all industries. Regulatory standards like PCI DSS, HIPAA, and ISO 27001 define rules for protecting data and improving information security management at the enterprise level. Identifying the compliance and regulatory demands relevant to your organization can help enable top-down support for security practices and improvements. Once you secure the buy-in, you can start making regulatory-related upgrades to your security program. There are two easy places to start. 

  • Investigate MISRA: Motor Industry Software Reliability Association (MISRA) is a collaboration between manufacturers, component suppliers, and engineering consultancies that promotes best practices for developing safety and security-related electronic systems and other software-intensive applications. To this end, MISRA publishes documents that provide accessible information for engineers and management. It also holds events geared toward fostering an exchange of ideas and experiences among peers. Getting your team involved in the study of MISRA’s published information and attending these events can help inform your program improvements.
  • Enroll in TISAX: Trusted Information Security Assessment Exchange (TISAX) is an exchange governed by the ENX Association on behalf of the German Association of the Automotive Industry. It provides a single, industry-specific security framework for assessing information security for the wide landscape of suppliers, OEMs, and partners that contribute to the automobile supply chain. Membership in TISAX enables you to engage with other member organizations, obtain regular updates, and train your teams to apply compliance requirements. It also provides a dedicated resource to monitor and track compliance issues. 
Meeting customer and market quality standards

Both your customers and the competitive nature of the market itself demand that you produce high-quality, secure products. Failure to do so puts your reputation and success at serious risk. In addition to analyzing your security gaps, you should follow the ISO/IEC 25010:2011 standard to further justify your particular code quality needs. 

Framing the discussion of quality standards against a tangible and proven model can help eliminate stakeholder doubt. Using this ISO model will help to bolster your arguments and validate the need to improve security practices. 

Performing quality engineering 

Implementing quality engineering practices entails moving QA into the development process. This shift helps identify shortcomings earlier, at a stage when changes and adjustments can be made more easily. This driver of overall quality improvement protects the reputation and success of an organization. 

Quality engineering should focus on: 

  • Workforce transformations: Teams should be empowered and enabled to improve and learn new skills
  • Upstream testing: Shifting left and starting sooner enables cost and resource savings
  • Automation of framework
  • Enterprise CI/CD
  • An outcome-based model: Implement required changes with proper change management 

Guiding the conversation

The growing need to ensure security at speed continues to drive considerations of security improvement. It’s vital to leverage data and facts to justify security program improvement requests. Armed with an understanding of industry-driven motivators for improvement, the conversation with key players becomes an indisputable argument for support. 

Stay tuned for our three-part series on the enablers and drivers of practicing security at speed.

BSIMM11 Report | Synopsys

 

More by this author