Apr 29, 2020
You may have a secure application today, but you cannot guarantee
that it will still be secure tomorrow. Application security is a
living process that must be constantly addressed throughout the
application lifecycle. This requires continuous security
assessments at every phase of the software development lifecycle
(SDLC). The SEI has researched a continuous authorization
concept—DevSecOps—that allows for constant interaction between
developers and information security teams throughout the entire
SDLC. This allows any authorizing officials, such as personnel on
information security teams, to be in constant contact with
developers as changes are made to existing code and as new features
are added. From project conception, a developed system security
plan should be integrated into the development platform as well as
other environments, where both developers and IAs can see the same
artifacts for every development and deployment activity. This
allows any changes to the system's security posture to be
immediately identified and reported to the IA to evaluate and
ensure that all security controls are adequately addressed. As a
result, all security features can be verified and authorized, and
eventually the organization will build a trusted culture among all
stakeholders.
Hasan Yasar and Eric Bram discussed how the continuous aspect of
communication and collaboration among developers and information
security teams reinforces core DevOps principles, as well as
allowing developers to write code with a "secure” development
mindset. Giving developers and DevOps engineers the tools and
knowledge to excel in their roles not only leads to enhanced
productivity but also a more robust and secure application and
environment development mindset. Giving developers and DevOps
engineers alike the tools and knowledge to excel in their roles not
only leads to enhanced productivity but also a more robust and
secure application and environment.