4 Keys to Successfully Implementing Security by Design
By Brandon Lynch
Imagine a solution that not only enhances the security of your products but also saves time and reduces costs. This is precisely what Secure by Design (SbD) principles offer. Unlike traditional reactive security measures, which often lead to last-minute setbacks and avoidable changes, SbD takes a proactive approach. By integrating security from the beginning, we not only save valuable time, money, and resources but also elevate the overall project experience for everyone involved.
The Foundations of Implementing Secure by Design
In How We Achieved Cost-Efficiency through Embedded Security, we talked about how trust and collaboration are paramount to the successful implementation of an SbD program. By integrating a dedicated security engineer into our team, we can engage in effective collaboration to identify risks, threats, and appropriate mitigation steps. Let’s explore how we can seamlessly integrate agile security into the software development lifecycle.
1. Security Planning and Assessments
During the planning phase of a project, it’s crucial to develop our security architecture. This involves analyzing applicable privacy and security laws, frameworks, or policies, such as GDPR, HIPAA, and SOC 2.
In addition, threat modeling is vital to the completeness of our security architecture. It helps us identify realistic privacy and security concerns along with methods to mitigate their risks. Subsequently, we can translate identified security controls or mitigation steps from the architecture into user stories or update the acceptance criteria of existing stories. This approach allows us to effectively plan, track, and implement security measures into the product from the beginning.
2. Continuous Security Support
Throughout the lifecycle of a project, features and scope often change. Therefore, it’s essential to make security as agile as the rest of the development team. One way we accomplish this is by creating abuser stories. An abuser story is essentially the ‘evil’ version of a user story that describes what a threat actor can do. Each abuser story contains threat scenarios, which capture how a threat actor can accomplish the abuser story. We can brainstorm this information by asking the team to think about features from an attacker’s perspective.
This approach allows us to examine the privacy and security aspects of specific features in greater depth than would otherwise be possible. Moreover, it helps us stay current with any new or evolving features or requirements. This process is led by the security team and can be integrated into sprint planning or refinement sessions to involve the entire team while minimizing the time commitment.
3. DevSecOps
DevSecOps represents an enhanced approach to DevOps that integrates security practices into the pipeline, reducing the need for manual security checks and accelerating vulnerability remediation. This is my favorite aspect of SbD, as it allows us to incorporate a broad range of security functionality in an agile manner, enabling security teams to concentrate on more strategic initiatives. Additionally, developers receive immediate feedback on potential security issues, allowing them to write secure code from the start.
Below is a list of essential security functions that should be integrated into your DevOps pipeline:
- Static Application Security Testing (SAST)
- Dynamic Application Security Testing (DAST)
- Secret Detection
- Source Composition Analysis (SCA)
- Software Bill of Material (SBOM) Generation
- Continuous SBOM Analysis
- Infrastructure Misconfiguration Detection
Your security tools should be configured to proactively block security vulnerabilities from being introduced into your application or environment. Furthermore, it’s crucial to collaborate with your team to fine-tune these tools to minimize noise and avoid unnecessary work. By adopting this approach, we establish a seamless, automated method for ensuring the security of our applications while keeping up with rapid development.
4. Assessments and Validation
When following SbD principles, the overall product quality and security are significantly improved. However, it’s still crucial to verify that your application is free from security flaws. This can be achieved through various methods, such as:
- Application security testing
- Penetration testing
- Cloud security assessments
- Vulnerability assessments
- Code security reviews
In many cases, conducting smaller tests throughout the project lifecycle rather than one large assessment at the end can be more effective. This approach enables us to identify and address issues early, minimizing the need for significant re-work and creating shorter feedback loops for our team.
Conclusion
Implementing SbD has not only enhanced the overall quality and security of our work but has also delivered tangible benefits to our clients. By integrating security considerations into every phase of our development process, we ensure that the products and solutions we deliver are inherently robust and resilient against potential threats. This proactive approach not only minimizes risks for our clients but also translates into lower costs and faster time-to-market. Ultimately, our clients benefit from increased confidence in the security and reliability of our offerings, leading to enhanced trust and satisfaction with our services.
Brandon Lynch is a Security Engineer with expertise in software development lifecycle security, encompassing infrastructure and software assessments, as well as comprehensive reporting. He’s skilled in defense-in-depth threat identification, remediation planning, and offering strategic recommendations, as well as designing and implementing DevSecOps practices, creating automated CI/CD pipelines through the integration of security scanning tools and the application of branch protection rules, utilizing both commercial and open-source solutions. He holds certifications such as a Certified Ethical Hacker (CEH) Master and Google Cloud Certified Professional Cloud Security Engineer.
