Who hasn’t been in a similar situation? You are part of an agile product development team. The next sprint planning is coming up. Based on user stories, new tickets are drawn into the sprint. You discuss which new features should be implemented for the product. Everything takes the usual course.
The team is enthusiastic. Everyone knows that there is a lot to do and time is always short. So let’s stop talking, get stuff done!
After some exhausting, nerve-racking days of development of the product, a lot has been achieved. The planned features have been implemented and the team is happy about what has been achieved. Everyone is somehow proud of the new exciting stuff, that is going to be released.
But suddenly there is an email from the in-house security team. Or from the data protection officer. Or from someone you wouldn’t have expected it from. But they say, according to IT security regulations, the product cannot be deployed live. What’s next? What went wrong?
In fact, the problem is, that security is often still perceived as an add-on in application development. Of course, in many places, developers know OWASP and its Secure Coding Practises. Source Code Analysis Tools are no longer a “secret sauce”, but should be a standard component for secure software development.
As we all know (digital) product development is usually primarily driven by functional requirements of the product. Security does not usually appear here. If it does, then it is perceived as an additional burden.
The same happened with software testing in the past. The software was developed and handed over to the testing department. Usually, the testing team was not loved by the developers, as their feedback produced additional workload. After the testing process was completed, development failures were sent back to the development team. An unspeakable, waterfall-oriented, cost- and time-intensive skirmish began. At some point, this situation was resolved and finally, the software was ready for deployment. But nobody in the product team was intrinsically motivated to work with the testing team.
Fortunately, the triumphal procession of lightweight software development methods began in the 90s. With methods like Scrum and Kanban, testing became part of the agile software development process.
On the one hand by newly-built so-called cross-functional teams. On the other hand by the philosophical change in the testing approach, leading to the highly automated unit and acceptance tests. Since then, the product owner of agile software development teams became responsible for the quality of the entire product.
Today history repeats in the area of IT security, or more precise in the area of security for digital products and digital production platforms. Security champions are joining forces with the current cross-functional teams. DevSecOps is becoming a reality. Security is the new quality dimension in digital product development.
Security is changing from a subordinated task within the software development lifecycle into an omnipresent element of all phases in modern CI/CD pipelines. The keyword for this new approach is “shift left“.
In the cloud and container world, security – especially for infrastructures of innovative digital production platforms – can be expressed in code. Security can be automated. And security can scale, like cloud computing does, for the first time in history. And this is a big win.
The benefits are obvious.
1) Companies actively safe money. They reduce the friction between differently scoped and incentified departments: product development (usually the business stakeholders) and IT security department (usually located close to the corporate IT).
They reduce the risk of getting fined for security breaches. They minimize additional effort (which means costs), that has to be invested in order to add-on security, instead of build secure-by-design products.
2) Companies innovate faster. Time-to-market is one of the striking and most relevant KPIs when launching new digital products. The need for fewer sprints means being quicker!
3) Companies stay secure. Or at least, the improve their security posture. In contrast to understanding security as the department-of-no, security can be perceived as enablement and even an accelerator!
And how does that work? The answer is simple: there is no one-size-fits-all.
But there are a number of ideas, concepts, processes, tools and experiences that help to get started and to nurse a modern security-considering product development environment.
Which one of the aspects to focus on, has to be answered individually. As an example, when looking into the platform immanent toolchain of Amazon Web Services, you’ll find currently 199 online bookable services. More than 40 of these services are related to IT security. The selection of tools to be implemented usually depends on the security and cloud transformation maturity level of the individual company.
But there is one fact for sure: all large cloud providers offer by far more tools and options to optimize platform security, than the traditional datacenter and hosting companies ever dreamed about.
If you have questions, please contact us. That’s what we do. This is our core competence. And that’s what our customers appreciate: we help them to Securely Ship their Software Faster – 3SF.