5 Tips to Improve Security while Improving Delivery

In the age of digitization and with the vast majority of digital transformation efforts to optimize efficiency and effectiveness in our ways of working, as well as to meet the user’s needs, organizations must update and release their technology-enabled products and services even more quickly. The Agile methodology and many other software development life cycle (SDLC) approaches are being used to drive these initiatives. At the same time, there is an increasing importance to prioritize code security as part of information security as organizations develop these digital platforms. At Leigh Consulting we recommend that instead of expanding existing security governance and providing more developer training, that our clients identify new ways to embed security governance into the pipeline workflows, and ultimately in turn improve code security, product quality and return on investment for the digital product/platform. 

To do all this in a manner that improves speed and security in a scalable manner, our Cybersecurity experts at Leigh Consulting use the following 5 key steps as guiding principles for security offerings: 

1. Track and understand developer coding behavior 

2. Tailor the presentation of developer coding metrics to application leaders and stakeholders 

3. Use “security stories and audit controls” to embed governance into developer workflows 

4. Embed real-time security feedback loops into developer workflows 

5. Deputize and collaborate with developers so that they become “security champions” to speed up security reviews and assessments 

Let’s dive into each of these in detail…. 

Track and Understand Developer Coding Behavior: 

Information Security’s lack of visibility into delivery team workflows can impede developers’ ability to produce secure code. At Leigh Consulting, we encourage our clients to aim to improve the transparency of delivery team coding to security staff by consistently tracking security metrics (e.g., the number and types of vulnerabilities, the number of policy exceptions) and by analyzing trends in coding behavior over time. Consistent policy violations or exception requests across delivery teams indicate that the Information Security team should revise its policies. In contrast, trends observed only for select delivery teams or developers will indicate that the vulnerability stems from developers, not from Information Security. This approach to tracking and understanding developer coding behavior builds trust between Information Security and delivery teams because it acknowledges that neither team can singlehandedly be responsible for all code security. 

Tailoring the Presentation of Developer Coding Metrics to Application Leaders:  

Despite security being essential to ensuring effective business processes and products, application leaders do not always promote secure coding. They see security as directly conflicting with timelines and in some instances the cost of the product. They also underestimate the impact of security. To circumvent this, experts in Information Security for Leigh Consulting are trained to encourage our clients to incentivize developers to code securely by tailoring the presentation of the developer coding metrics to application leaders. By making security data relevant to application leaders, one can show that creating a secure product/platform will in return have a greater return on investment by reducing costs and increasing speed, quality, and efficiency of the digital product/platform. This approach to data sharing and usage of analytics helps application leaders to motivate their developers to adopt secure coding behaviors and empowers the leaders to make decisions based upon fact/knowledge and no longer intuition as they assess product deliverables and impact to other initiatives within their pipeline/roadmap. 

The usage of “Security Stories” to Embed Governance into Developer Workflows:  

Even if application leaders are motivating their developers effectively, IT organizations must also enable developers to code easily and securely. The usage of the Agile methodology enables developers to identify and prioritize functional requirements through user stories. Instead of having to look up and apply relevant security requirements on their own, developers can receive “just-in-time” guidance on what they need to know. At Leigh Consulting, we encourage our clients to compare the application leader’s team data (e.g., number of vulnerabilities over time, types of vulnerabilities) to teams who are working on similar types of projects (e.g., application with similar functionality or the same business dependencies). Sharing the cost of addressing these vulnerabilities and how these vulnerabilities factor into business cost plays a critical role in strategic decision making on product quality and delivery. Summarizing the effect of the application leader’s team on the business goals can be furthered by using an application lifecycle management tool to automatically compile all commonly used requirements into the security story format. This type of automation is scalable because it only requires Information Security to manually create security stories for the most customized projects and tasks.  

Embedding Real-Time Security Feedback into Developer Workflows: 

Developers typically do not receive feedback on code security until after it is submitted for a formal review, resulting in time-consuming rework to fix vulnerabilities that could have been prevented. This approach does not incentivize developers to keep vulnerability remediation on schedule. By using tools that provide real-time security opportunities, speed and security are no longer at odds, and both can be improved simultaneously.  

Deputizing Developers as “Security Champions” to Speed Up Security Reviews: 

Even with automated code scanning tools, some manual work is required to distinguish false positives, business logic errors, and/or security policy exceptions. Instead of adding these responsibilities to the Information Security’s queue, at Leigh Consulting we encourage a collaborative approach to product development and security by recruiting senior developers to serve as “security champions” for some security tasks while having Information Security still owning the highest-risk project tasks. Sharing these responsibilities between Information Security and security champions increases delivery speed and makes information security more scalable, all while reinforcing the message that security is everyone’s job. 

In conclusion, ensuring security is always fast and scalable, especially in the age of digitization, can depend on the organization’s success or failure to achieve an efficient, go-to-market security strategy. Therefore, it is critical to implement practices that make governance less time consuming while maintaining the rigor around security standards. Although the approaches above address these challenges for the near future, the most progressive organizations are thinking ahead on how to make security fast and scalable in the long term. Application containers and APIs can be considered as part of the long-term solutions. Correctly implementing containerization and an API strategy increases application security and delivery speed. It also makes the secure way the easiest way. The approaches to solving digitization challenges will vary based on how far along an organization is in implementing continuous delivery, but the increasing need to be faster and more secure is here to stay. Let us know how our Cybersecurity experts at Leigh Consulting can help your organization deliver with great agility, innovation, speed, and security. 

Dr. Ralph B. Manyara 

Head of Leigh Consulting - PMO and Cybersecurity services