We have executed a wide variety of projects spanning multiple clients, but one key requirement challenged our development mindset. We were asked to scan the source code of a client application to identify the security flaws and that’s when we had several surprises. Most of the flaws could have been avoided with proper development processes related to security in place.
This one event helped us to change our development process to deal with the security from the roots of the Application. Our team explored various approaches to ensure security at different levels of development activities and carefully crafted & implemented multiple processes as security points. Within a short time, these processes became our development culture, as everyone saw the value of going the extra mile to ensure security.
The team had gone through a series of sessions and asked these basic questions to successfully implement security processes:
- Do you know all the possible security vulnerabilities to look for?
- Does your application design take care of security?
- How to ensure security as a part of the development workflow?
- How to make security planning as a part of your sprints and backlogs?
- How to identify the security flaws using CI, alert the team and stop CD?
Security has to be a part of all our development processes:
From the answers, we almost figured a need for security aspect in all existing development processes. We revised all our development processes to have security sense in them. Teams have started wearing security hat during the development processes and successfully identified the flaws & addressed them.
Here are the processes & tools we used for our clients, which worked pretty well.
Security awareness training for the project team is essential to make them ready for secure DevOps. We observed a tremendous reduction (nearly 65%) in security flaws in the code after training.
Introduce threat modeling activity at the product backlog level, which makes you do a quick & thorough check of the Application design for each change. Teams have followed secure code reviews parallel to regular code reviews. We have continuously followed this approach for several sprints and it worked really well.
Feedback loops for security flaws:
Continuous integration is a life saver. It has transformed the way products are developed and tested. We used check-in policies, continuous integration process to scan the code for vulnerabilities and give a feedback in the early stages of the development, which helped us to address those quickly.
Security testing before deployment:
Security testing became a part of the product qualification for the final deployment. Automation of security testing helped us reduce the release test cycles & follow the DevOps seamlessly. Several secure code libraries were evolved over time, which helped us to reuse those fearlessly.
SDLC processes have evolved for years and following these processes without a sense of security is meaningless and suicidal. Hence, security should be planned in your Application’s DNA. All it takes is some simple steps to carve your practices, use appropriate tools and awareness.
Happy Secure Development!!