Cybersecurity and the DevOps Stack
Information security’s place in society is well-known and published. There is no doubt to most people the extent of the pertinence with this. The rather large, and far-reaching effects of breaches in the last few years have been on the news, in newspapers, blogs, journals, and many other reputable sources. These have affected millions of people repeatedly, along with banks and other secondary victims.
One aspect of this dilemma not receiving a large amount of press is the software development process itself. In developing software, there is a specified process to follow, and in theory this should, when followed, produce a solid application which functions well.
One area of this development not sufficiently applied involves InfoSec. An issue with this occurs when, at the end or near end of a project, the project leaders decide to contact the InfoSec Department and then asks for assistance in the project. This has occurred too many times and simply creates a mess.
Seemingly, everyone knows it makes financial and operational sense to have InfoSec involved from the beginning of a project. As the project advances, InfoSec would have the opportunity to have their input through the project. The InfoSec best practices are able to be put in over time. Without this taking place, the earlier steps or gates requiring InfoSec to be in place would need to be revisited, which would cost more to fix. The construction of a home as an analogy would be appropriate. To properly construct the plumbing while the construction is ongoing is significantly easier in comparison to trying to fix this when the home is complete or nearly so.
This has been documented with the 2016 Forrester Research study. While the software is in process, the average amount of time to correct an issue was five hours. With the defect being corrected when the software is in the final testing phase, the required time on average to fix this was 5-7x longer. This is further exasperated when the product was already to market, with the cost to correct at 10x-15x longer. These extended times to fix issues directly affect operations, increase costs, and decrease any security in the product.
This does not necessarily need to be the case. Simply by involving InfoSec in the initial stages of a project is extremely recommended.
About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.