Building a modular, flexible IT stack the secure way

Recognise the signs

Alas, there is no standard solution for common security threats, as each problem has a different cause. A good thing, then, that we can look out for signs that there may be something wrong with security.

Perhaps you’ve seen this too: the focus during the development of new software or technology is mainly aimed at delivering visible features, while security tasks are not included in the sprint planning. Sometimes, a lot of time and money is spent on the development of a specific feature, while other aspects are all but ignored. Yes, the team delivered a good risk assessment – but it was ignored in the day-to-day practice.

You can prevent this by training security champions in your team. These colleagues can assist product owners and development teams with identifying risks and putting adequate measures in place.

Raise security awareness

When it comes to security, we all have a part to play. Surely, as a developer, product owner, programme manager or stakeholder, you’ve dealt with security issues, with your experiences colouring your feelings about the subject. Let's try something out. Which of the following applies to you?

• After a meeting about security, you are drained...or did it boost your energy?
• You feel your security work does not get noticed, nor appreciated...or is acknowledged and celebrated?
• You dread the pentest results...or are you looking forward to them?
• You don’t feel comfortable discussing security issues...or do you master security with confidence?

A team's maturity regarding the topic of security makes a big difference. Do we have the expertise? Where are the gaps? What does the team need to make the right decisions and develop a secure product?

When you use a maturity model based on OWASP, OpenSAMM, BSIMM or another standard, you guide teams towards adopting the right practices and make your team more autonomous.

Know that actions have consequences ... and so do non-actions

Every member of a project organisation has impact on the final outcome. With such a set-up, then, it is essential that security issues are identified and that security is perceived as an opportunity, not as a burden. People should have a solid understanding of the advantages of investing in security and security achievements should be celebrated.

• Make sure that management champions security-driven decision-making. If you don’t, don’t be surprised when a product owner pays insufficient attention to security.
• Make sure that product owners are fully aware of potential security threats. If you don’t, don’t be surprised when security issues are not resolved during the development process.
• Make sure that development teams focus on more than just the tangible outcomes. If you don’t, don’t be surprised when they ignore their own security practices to save some time.
• Make sure that security officers don’t use a pentest report as a security requirements list. If you don’t, don’t be surprised when new issues keep arising.

This is what we call security by design and there is a range of tools that can help ensure security during every stage of a project. Any digital project benefits from threat modelling, where you start off with mapping the attack surface and identifying the risks.

Would you like to know more about the safe implementation of composable technology? Do you need a little help? Why not send me a message on LinkedIn or reach out to our team.