fbpx

In the wake of high-profile data breaches and severe operational flaws like those exploited by WannaCry and Petya, it’s become clear to developers that security needs to be much more than a tacked-on feature — it needs to be an integral part of the development process from the beginning.

This approach is known as DevSecOps, and it’s one that’s growing among the software community. In fact, a recent survey by Freeform Dynamics found that   74% of respondents said they’re concerned about security threats due to software and code issues. Integrating security   into  development at the outset may require a shift in mindset, but it doesn’t have to be a painful and difficult process. We asked 15 members of   Forbes Technology Council  how tech leaders can build security   into  their products from the beginning of its lifecycle. Here’s what they had to say.

1. Consistently Monitor Your Processes

Even the best planning misses something, which is why proactive monitoring is extremely important. Set up data exfiltration policies on your firewall and in your application to monitor for sensitive patterns like credit card numbers; or, use a “canary in the coal mine” by adding a fake account with a unique name to watch for. Now you can block and trace serious issues before they make headlines. – Jason Gill, The HOTH

2. Incorporate Threat Modeling Into DevOps 

Security should not be a bolt-on function or a step in the DevSecOps workstream. Security should be carefully factored into DevOps through threat modeling for each project. Threat modeling is a procedure for optimizing security by identifying objectives and vulnerabilities and then defining countermeasures. This exercise propagates security awareness and risk identification. – Danny Allan, Veeam Software

3. Understand Where To Allocate Your Time And Resources 

Knowing where to focus your likely very limited resources is key, and can be tackled by performing application risk assessments and threat modeling. By better understanding where your product or service may have unacceptable risk exposure, you can focus your time and resources appropriately. – Vijay Bolina, Blackhawk Network

4. Get Senior Leaders Involved 

As with any collaborative endeavor that brings together people from different backgrounds, experiences and outlooks, it’s important to acknowledge the possibility of conflict up front and deal with it head-on. Senior leaders should be involved to explain why the DevSecOps ethos is so vital to the company’s future, and hold everyone accountable for advancing its success. – Todd DeLaughter, Automic Software, owned by CA Technologies (NASDAQ: CA)

5. Incorporate Security Tests Into Your Boot-Up 

One of the most effective ways to embed security into software is to initiate the security on boot-up. When a user restarts their device or software, the manufacturer should run a series of boot tests to determine any changes in the software and that the software is entirely authentic. Additionally, there should be warnings to users to reboot so the tests can be conducted frequently. – Maria Clemens, Management and Network Services, LLC

6. Security Must Follow The Dev Cycle To The End 

Bring security to the table as part of the DevOps process as an equal player. Some might push back and say that security slows agility, but with the proper toolchain integration, this is no longer an issue. One example is automating the scanning of docker images for security gaps and vulnerabilities, and promoting the image to the next step in the development cycle based on certain thresholds. – Dr. Rao Papolu, Cavirin Systems

7. Foster A Culture Of Security From The Top Down 

Security cannot be an afterthought or a line item on a Gantt Chart. It has to be injected into a company’s culture of development and communication from the top down. Building out an organizational culture based on high trust will be the key to success. Everyone must have the mindset that they are individually responsible for security. – Leon Hounshell, Greenwave Systems