Securing the Big Picture
In order to analyze and improve the security of a project or company, not only the application and architecture need to be addressed. The Software Development Process (SDLC) must include security controls on process and functional level as well:
Tools are Nice, but what about their Results?
After enhancing build pipelines with DevSecOps elements, process-related questions like finding consolidation, false positive management, baseline handling, any many more are key to the sustainable integration of security scans into the development process.
Challenges of Agile Organizations
Agile teams have the possibility to schedule dedicated security sprints and work on the most pressing security issues, which requires also management and product owners to support this effort. That’s where awareness training usually helps to get all stakeholders to buy into the security culture and create the space for targeted non-functional improvements. This also includes making progress visible across a company via dashboards and detect trends to guide improvements towards the areas with the best leverage.
Distributed Development Teams
For geographically distributed development teams (including off- and near-shore) and especially in today’s home-office based team splits, it’s also crucial to secure the paths where code is created and how it flows into production, avoiding code or base-image backdooring by hacked build pipelines.
Cloud & Containers
Even little and sometimes leftover things like missing automated checks to avoid accidental check-in of secrets or accidental unprotected cloud storage buckets often make the cut for hackers. Correct and secure management of secrets (like keys, passphrases, tokens, certificates, etc.) used in production systems not only includes technical elements like vaults. Aside from more complex technical aspects, even organizational aspects need to be addressed, especially when cloud environments and container platforms are used.
Forensic Readiness
What to do when the undesired event of a successful hack happens?
Your organization needs to constantly assess its DFIR-Readiness (Digital Forensics & Incident Response) to be able to quickly identify and isolate (evidence preserving) compromised systems, analyze them forensically, gather Indicators of Compromise (IoC), rotate compromised keys, certificates, etc. and check for successful data exfiltration by the bad guys (even via DNS out-of-band channels).
Review Goal
As you see from the examples above, the true security posture of an organization goes way beyond technical things…
It also includes humans and processes as well as their interplay as part of a strong security strategy. That’s exactly what this review is about: Finding spots where to improve and providing guidance as part of a roadmap.
As every organization is unique, I usually create an individual audit catalog in close collaboration with the security team of the customer corporation. This acts as the foundation of a streamlined project review and improvement process to determine levels (or belts), build a scorecard scheme, and roadmap steps to improve on and maintain a high security level.
As most process reviews are quite individual to your company and current needs: Let’s talk
Further Reading
In case you’d like to get more information about the possible elements within a secure SDLC, the following best-practice standards are a good starting point (for both abstraction levels: organization-wide and technical focused):
- OWASP SAMM (Software Assurance Maturity Model)
- OWASP DSOMM (DevSecOps Maturity Model)
- OWASP ASVS (Application Security Verification Standard)
- OWASP CSVS (Container Security Verification Standard)
- CIS Controls (Center for Internet Security)
I’ve since many years reviewed the maturity of secure SDLC processes of companies and organizations, which led to some nice talks and publications of the most pressing things to handle, especially as an agile company:
Video (in English) of my talk at the DevOpsCon conference about the Seven Security Sins of Agile Projects:
Video (in German) of my talk at the JCon conference about the Seven Security Sins of Agile Projects: