An athletics footware manufacturer has a slogan that says, “Just do it.” It’s also a command that leaders of some organizations issue to their applications developers.

However, if application security isn’t rigorous and disciplined just getting it done will lead to risks to the enterprise. That’s why the DevOps movement, which emphasizes collaboration between developers and IT is so important.

Jim Ivers of Cigital, which offers a number of services including application security testing, argued in a column this week that successful development teams must have a software security group (SSG) and a software security initiative (SSI).

An SSI is the set of activities necessary to build security into the development process, rather than the reactive process of bolting security onto existing software. The SSG is the group that makes the SSI work. As Ivers describes it, the software security group provide policies and processes, and liases between development team and IT Security.

Successful software security means testing applications to get results that are observable, measurable, and consistent. And without a formal and disciplined approach your group isn’t going to get that.

“For firms with an SSI/SSG, habits and process are the critical success factors,” writes Ivers. “Staff is not only trained, but incentivized to raise their security IQ. There are clear paths of communication between the security team and the developers. Experienced organizations learn that security is not a drag on performance, but can provide productivity gains by eliminating security vulnerabilities early in the development process. Effective metrics are produced to demonstrate to management the value of the program and reduction of risk.”

It’s imperative that DevOps teams cut the number of flaws in code. There are any number of tips, tricks and lists of ways to avoid security design mistakes. One of the most recent was issued by the IEEE last fall, and the SANS Institute has a list of the top 25 software errors. But unless there is a disciplined software development process teams will still churn out applications that have too many bugs.

Would you recommend this article?

0
0
Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication. Click this link to send me a note →

Jim Love, Chief Content Officer, IT World Canada


Related Download
Cybersecurity Conversations with your Board Sponsor: CanadianCIO
Cybersecurity Conversations with your Board – A Survival Guide
A SURVIVAL GUIDE BY CLAUDIO SILVESTRI, VICE-PRESIDENT AND CIO, NAV CANADA
Download Now