Application Security

Objectives for the development team in 2020

We came to that time of the year where everyone starts to think in their objectives and what they must achieve this year. This also happens to security professionals who start defining their objectives for the development team and how to reach them.

Moreover we are listing some points considered to be important and must be inserted into the objectives list of a development team od DevOps.

We have pictured this list in a broader way, and we assure it isn’t, and can not be understood, as a finite list, though it can be seen as a starting point to newer and better ideas.

At the end of this article we hope to have contributed to your planning.  

Have a Security Champions program

In some of our articles we have spoken on the importance of a security champion in your DevOps team and on how he can help on increasing the maturity of your team related to secure coding.

Therefore it is normal that in our engagement on creating development processes we were not able to find the participation of a Security champion.

We believe that one of the greatest objectives of companies for this year is to create a program for the development of their security champions’ team.   

The position of the Security Champions team is to always introduce the “Shift Left” thinking into the safe development process, creating a culture of safe development from the beginning of the project.

A basic concept that must be implemented and addressed directly by all participants in a development process is that the security of a code is everyone’s responsibility.

Though, there is a basic thought that for every 10 participants in a DevOps team, there must be 1 professional specialized in security in development.

Even though these concepts are known to many, it is still very difficult to find a company that has this proportion in its teams. That is why we increasingly emphasize the importance of the Security Champion.

Many managers are beginning to realize that the great impact of the presence of these professionals, has more results when they appear as teachers or even facilitators of the concepts of safe development within the teams.

Encourage development teams to follow the security pattern

More and more we are seeing DevOps teams increase their skills both in development and in operations, this leads to the increasingly fast delivery of products and services to the market.

However, it is not uncommon for this same speed to hinder or harden the process of introducing good safe development practices, as speed and security planning are not always a good match.

Hence, we need to understand that it is necessary to align the deliveries with the necessary security of the applications.

What usually happens is that much of the security of the applications is later transferred to policies and controls that are external to the code.

When we think about it, it is clear that the normal and most expected movement would be to put the security rules in the code already.

We need to encourage our development and operations teams to think about safety rules and safe development best practices early in planning.

During this year, companies must increasingly seek to increase knowledge of best practices and to implement these practices in the construction of their codes, this will certainly bring great gains to the safe development process.

More attention to personal data

Artificial Intelligence has been thought and used within the DevSecOps teams in an increasingly effective way.

It is normal for the evolution of large structures that they begin to seek in the acquisition of data the answers they need to make their operation increasingly automated and more efficient.

With this in mind, we can look forward and understand that, through the emergence of various data protection laws, we need to take this matter seriously and directly.

Operations teams are adopting AIOps practices that emphasize collecting as much IT data as possible and analyzing everything with machine learning and AI algorithms to be more responsive and predictive with potential performance issues.

The problem with this is that privacy is increasingly becoming a key point in applications and should be taken into account if this is your current situation.

At this moment, we imagine a much closer relationship between development managers and their peers, CIOs and CTOs, to help the HR and Legal areas to understand these needs and how they can act without suffering problems.

The increasing use of data makes the figure of Security Champion more important within the secure development process, as it can seek to understand how the two situations can be faced.

Thinking initially about security, we can ensure that data privacy is given the proper importance.

Increase the attention towards your APIs

According to Akamai, nowadays 83% of Web traffic is generated through API. Another good source is Statista that shows us how APIs are being used today.

With the adoption of microservices architectures among DevOps supporters, that percentage may end up increasing very soon and a large part of this architectural change depends on APIs for everything.

The adoption of APIs resulted in faster and more resilient software, but it also created new security headaches.

“What used to be an internal call between application components in the world of monolithic applications of the past is now an API call that is generally made on a public network and is susceptible to attack,” says Dmitry Sotnikov, vice president of cloud platform at 42Crunch.

What we put above reflects the new thinking and the new way in which the world of development understands the connections and exchanges of information, thus creating new solutions in applications.

The faster exchange of information also has a weakness as the rapid deployment of new microservices has greatly expanded software attacks.

For those who are concerned, we recommend reading and adopting the controls and points identified in the OWASP API Security Project document, this can be a good starting point for seeking knowledge.

Focus in automated processes

We always say that the security of an application must be thought from the beginning and must be highly focused on automating its validation process, and for that, tools and processes must be used.

As well as the increasing use of APIs, the use of containers, serverless technology and greater automation of DevOps activities have created new security access points that must be addressed.

“But with so many new areas of security to keep track of, how will teams keep pace?” asks James Condon, research director at Lacework.

He believes that DevSecOps organizations should focus not only on testing automation, but also on automating the enforcement of security, remediation and response policies.

And security teams that want to take their automation to the next level can learn from their fellow developers.

The point is that the automation process with the extreme use of tools can help with the scalability of the tests and validation process, but we must not ignore the manual reviews made by highly trained professionals.

The process must be accurate

When we reach the end of this article, we believe that we may have helped to initiate within your teams a thought that can bring as a result of more security and control over your codes.

Nevertheless, we also believe that these points are not the complete solution for your planning and we want to reinforce the need to increasingly seek to think of our code as a product of our process, and if the process is correct the result will be the ideal.

Still, we must not allow ourselves to be carried away by automation as a solution to all the negative points of a development process, we will need good professionals to perform the most complex security tasks.

Is that you? What are the points that will be part of your planning?

About author

Articles

Over 15 years of experience in Information Security and Applications, graduated in Data Processing worked as a Professor and participated actively as an instructor on trainings to more than 6000 developers and IT teams. Father of two daughters and trader on free time.
Related posts
Application Security

Phishing scam using Conviso's name: don't fall for it!

In the past few days, a few customers have reported to us that they have been receiving phishing…
Read more
Application Security

Webinar: PIX and the Secure Development

Much has been discussed about PIX, the new digital and instant Brazilian payment system developed by…
Read more
Application Security

Which topics should an AppSec Training Contemplate?

The development market seems to be becoming more and more aware of the need for Application Security…
Read more

Deixe um comentário