Image: Pixabay

How to start IT-Security

Michael Steiner
Axel Springer Tech

--

Software Quality Assurance and IT-Security are important aspects of modern software development which in practice are often neglected too quickly. To counteract this, we have founded the Competence Center Quality Assurance & IT-Security (CCQ) at SPRING. The aim of this team is to support the developer teams in matters of Quality Assurance & IT-Security.

“An IT-System is only as secure as the weakest part of the system.”

When I took over the task of IT-Security, the challenge was to develop the topic anew for my company. Although there were committed and interested developers in who lived IT-Security in their teams, there was no concept or general approach regarding IT-Security. The topic was new for me, too, and I first opened up the topic via the measures and tools that were available in the teams. The idea was to work out concrete fields of action and measures that would help the teams in a concrete way or simply to make transparent how IT-Security was already lived in some teams. In addition to measures that are already lived through, I then dealt with the most common attack vectors and vulnerabilities of IT-Systems as well as with best practices and tools in IT- Security. What I had learned: IT-Security can only be thought of holistically, because the following applies: An IT-System is only as secure as the weakest part of the system. Therefore, I identified the 3 essential core areas of IT-Security at my company which bring the greatest added value to the teams.

Cloud- / Infrastructure Security
One of the most common attack vectors is the exploitation of known vulnerabilities of software systems, especially in their infrastructure. This includes operating systems, software frameworks, protocols or configurations. Infrastructure Security deals with the minimization of attack vectors on the infrastructure.

Identity- / Access Security
The meaningful protection of access to applications as well as a meaningful role and rights concept are the content of identity/access security.

Application Security
Vulnerabilities in self-developed software are caused by faulty programming and wrong architecture decisions but also the use of outdated software frameworks must be avoided by measures of application security.

essential core areas of Continuous Security

Continuous Security — IT-Security as early as possible

It was important to us that IT-Security measures are taken as early as possible and are implemented throughout the entire development process. Therefore, we distinguish between preventive measures, analysis&test measures and monitoring measures for each security area.

Prevention
These measures are implemented before programming and operating the software in order to proactively prevent vulnerabilities. This can include the selection of tools based on self-created guidelines, but also coding guidelines and architecture patterns. Standard configurations regarding infrastructure security (e.g. for AWS instances or the company-wide use of multi-factor authentication) as well as IT-Security training and security awareness are also part of such measures.

Analysis & Test
Measures that actively investigate aspects of IT-Security and uncover vulnerabilities. This includes penetration and resilience tests as well as code analysis and the search for software frameworks with known vulnerabilities.

Monitoring
Monitoring measures help uncover and proactively prevent vulnerabilities during operation or potential attacks. This can be the monitoring of access to sensitive systems from both internal and external sources. Furthermore, it also includes measures to detect information leakage.

The different measures are supported by various tools to achieve the highest possible degree of automation.

The autonomous teams themselves should decide which measures and tools are appropriate and useful according to their needs. We as CCQ only provide guidelines and advice on the selection of measures. Uniform, detailed guidelines for all teams do not make sense since each team develops very different software with different tools and programming languages. In addition, there are different procedures in the implementation.

Community of Practice Security & TechRadar

The IT-Security measures within the teams must be continuously developed further with the support of security experts. In the Security Community of Practice (CoP), we offer IT-Security-interested developers a forum to eexchange and discuss. Here, new tools and procedures are introduced and IT-Security solutions from different teams are presented and discussed.

As part of a community of practice, we maintain a Tech Radar QA & IT-Security. New innovative tools are presented and the use of QA & IT-Security tools in our teams becomes transparent. We use the Tool Tech Radar of Thoughtworks for visualization. The quadrants describe techniques, tools and frameworks.

The idea is to describe an innovation cycle with rings from outside to inside:

Tech Radar of QA & IT-Security tools

Input and evaluation of interesting techniques, tools or frameworks that are evaluated by CCQ or others. → Assess

If a technique, tool or framework is interesting enough for a team, they will test it. → Trial (PoC)

If a technique, tool or framework brings value to the team, it should be adopted by other teams. → Adopted

In all other cases the technique, tool or framework is no longer in scope. → Out of Scope

In the description text we link to the manufacturer of the tool, the teams that uses said tool and which quality criterion is covered by the tool.

Tools quadrant of Tech Radar with customized description

The Tech Radar helps us to constantly question presently used tools and try out new ones, thus ensuring we always have your current development needs met. Through the knowledge exchange of tools and best practices within a CoP the teams get suggestions for new tools as well as the tool experiences of other teams.

--

--

Michael Steiner
Axel Springer Tech

Head of Competence Center QA & IT Security at SPRING. “ For continuous deployment in agile environments, QA and IT-Security are more important than ever.”