Free Newsletter
Register for our Free Newsletters
Access Control
Deutsche Zone (German Zone)
Education, Training and Professional Services
Government Programmes
Guarding, Equipment and Enforcement
Industrial Computing Security
IT Security
Physical Security
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor

Five steps to secure iterative software delivery

Perforce Software : 18 February, 2015  (Special Report)
Mark Warren of Perforce Software explains the security challenges surrounding iterative software delivery and offers five best practices for improving the process
Five steps to secure iterative software delivery

Deploying software quickly and implementing changes frequently is at the core of many software-led businesses today.  Businesses across all industries are increasingly developing and rolling out software more rapidly and more frequently, both to their own employees and customer base.  Whether labelled continuous delivery, continuous development, continuous integration or iterative development, this approach to software provision is rapidly changing the face of the software industry and is increasingly becoming a way of life: just imagine the amount of software updates an online retailer such as Amazon must have and we are all aware of the ever increasing volume of updates – often daily – to the apps on our desktops, laptops, tablets and smartphones.

However, a revolutionary approach to software development brings its own software challenges.  While having a cadence of small updates potentially limits the scope of change – so in theory bugs are ‘smaller’ and security weaknesses easier to spot – if a bug or security vulnerability gets included in a release, it can be pushed out to hundreds or thousands of servers, potentially affecting millions of users before it has been spotted.

Of course, the rapid nature of continuous deployment lends itself to fast fixes: as we saw with Heartbleed, vendors were fast to ship OpenSSH fixes.  However, that doesn’t negate the fact that the problem was ‘out there’, causing considerable concern amongst end users and creating a lot of extra work for software vendors.

With so many high profile security problems during the past year, clearly this is a problem that is a long way from being addressed.  If iterative software development is the way of the future, how do we prevent problems like this happening?  Of course, any company with sense is going to have an armoury of dedicated information security tools, but I’d argue that there is a need for a more holistic approach that looks at the bigger picture, including more rigour around internal processes.

Plus, there is the fact that traditional approaches to software security may not be the best for today’s modern software development practices:  by the time a full system scan has taken place, the bug could already be doing its damage.  Conventional security strategies that impose ‘gates’ will hinder the continuous delivery process and frustrate developers.  Far better is to engender an environment that comprises: transparency and traceability, ‘best practice processes’, plus the right development environment and security tools.

5 best practices to adopt

Clearly, the earlier a potential vulnerability is caught the better the chances are of minimising impact and reducing associated costs.   Here are five ways in which companies can improve this process:

Ensure traceability and audit trail

If an issue should arise, then being able to trace what was included in a release – not just the application source code, but also executables and infrastructure as code (e.g. virtual machine images) is critical to understanding the potential impact.  Creating a ‘single source of truth’ using version management tools provides an instant view of what is happening in the development process right now, but also what happened in the past (who did what, where and when), with the option to ‘roll back’ to a previous version of the software if need be.

Automate as much as possible

Automation of continuous integration, test and deployment processes is one of the main tenets of this approach to software delivery, ensuring faster and more predictable time-to-market.  It also has the benefit of reducing the chances of human error, which in turn helps to keep vulnerabilities from occurring. Automating complex build and test systems, when the applications include a variety of different content types and may have contributions from multiple teams around the globe, makes a common repository (“single source of truth”) critical to avoid duplication or gaps in validation processes.  While not everything can be automated, it is surprising just how much can be.

Continuous monitoring

The old model of performing annual assessments and regular but not constant security scans just does not protect today’s environments.  The rate of change makes reports conducted just a couple of days ago obsolete. Monitoring security must be a continuous effort, with processes and tools that surface problems immediately.

Spot real threats

As a variety of research studies and surveys have found, many vulnerabilities lead back to employees, whether inadvertently or deliberately and this includes the software development team.  Obviously, identifying these sources of security issues is essential, but it is all too easy to implement tools that identify an overwhelming volume of potential vulnerabilities, without any real sense of – or ability to analyse – what constitutes a real threat.  Look at the latest generation of behavioural analytics tools, which instead of being limited by pre-defined alerts, look ‘intelligently’ for changes in behaviours: for instance, when a software developer checks out a large amount of code, but doesn’t check the same volume back in, or when a developer works outside his/her usual hours.

Look for scalability and the right fit for today’s platforms

Look for tools that really are designed for and able to cope with today’s increasingly complex, distributed and multi-faceted environments, with the ability to scale and to support a multitude of different operating environments and deliveries, including on premise and the cloud.

Great software starts with the development team, so building in these ‘best practice’ approaches to ensure better ‘security hygiene’ across processes and tools is essential.  While security software has a vital role to play, companies need to adopt a real ‘belt and braces’ approach, if they are to ensure that their amazing innovations are not undermined by security vulnerabilities that could have been avoided.

Bookmark and Share
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
   © 2012
Netgains Logo