Data is already being used by developers and security teams to achieve their goals. Looking at this in context, however, can help teams enhance their performance, consolidate their tooling, and collaborate more efficiently.
Today’s world revolves around software. Code is in higher demand than ever before to supply services and automate processes. The COVID-19 pandemic drove businesses that had not yet ‘gone digital’ to invest, while those that had previously done so increased their investments.
Approaches like agile development and DevOps aided in this. To stay up with business demands, the software development team has extended its ownership of the development process, from focusing on shorter timescales and developers taking on responsibility for IT operations and running what they build.
Security, however, is frequently an afterthought in this process. When there is a hurry to get more things done, security can go to the bottom of the priority list. Even though there are best practice guides available for secure software development from OWASP and the National Cyber Security Centre, including security into the development pipeline can be difficult. Looking at data, taking responsibility, and making adjustments to processes are all part of the solution to this problem.
The first area that has to be altered is data. Today’s software developers work on projects that use data to solve consumer issues, but how many of them use this data in their own workflows? Observability projects have exploded in popularity, in which developers leverage metrics, application logs, and trace data to better understand performance, but same data may also be used for security. If done correctly, this can actually help businesses unify tools and data collected so that the company does not have to pay twice to collect and evaluate it.
This data-driven strategy has the potential to go even further. Software developers can leverage data from their own software pipelines to improve their development and security processes, much as they can create systems that build on and use data to better customer experience. Software projects generate data that can be captured and used throughout time as they go from coding to testing, deployment, and production. Previously, the difficulty was that processes did not put that data to use.
This is an issue for some teams: they spend so much time focusing on data requirements of other teams that they don’t have time to prioritize their own. Another issue is that there are so many distinct pipelines to follow – software development teams often have a lot of leeway in terms of which tools, services, and cloud platforms they employ, so there is less standardization for what is deployed over time. It’s critical to get all of that data together in one place so that teams can see what’s going on across all of the pipelines that are active at the same time.
In addition to the data, organizational IT teams need to examine how they think about security from start to end. Security needs to shift left and occur earlier in the process, but this will necessitate the adoption of the right mindset by all parties involved. Are teams, for example, rewarding security from the outset of their process, and how do they measure it? The right metric can be extremely effective in promoting high-quality secure code from the start, whereas the wrong metric can lead to additional difficulties in the long run.
Instead, development and security teams can work together to improve the process, from considering security as part of code development and process design to avoiding problems like misconfiguration in deployment. Allowing additional time for code review, using code analysis tools, and enforcing secure coding guidelines are all examples of this. This can be done, for example, by tracking code development over time and comparing the number of security issues prevented and resolved rather than measuring by lines of code written.
Teams can incentivize right kinds of behavior rather than focusing on individual targets by looking at development, security, and DevOps as a whole, then setting up the right goals and KPIs.
For more such updates follow us on Google News ITsecuritywire News