Secure SDLC and DevSecOps
In the last five posts of our new series, 'Secure Your Start-ups' (follow the hashtag #sumerusecureyourstartup), I have talked in length about various elements of securing your start-ups.
In this article, I will walk you through the basics of securing SLDC and DevSecOps in the context of start-ups.
Let's dive in.
We have seen the importance of security across various domains, especially from the infrastructure perspective. One of the essential parts of building a secure application or a product is to make security into it right from the beginning.
It can involve activities such as carrying out threat modeling with architects, educating developers on secure coding practices, helping quality testers create security test cases as part of functional or unit testing, and lots more.
This article will first walk you through how Sumeru helps create a secure SDLC process for your start-up to identify issues early on before they become a problem.
As seen below, Web Application Attacks are the top attack vector used by attackers to compromise organizations, making it critical to focus on the application security side.
Let's delve deeper and understand more about Secure SDLC and DevSecOps and how they would help a start-up early on.
Software Development Life Cycle (SDLC)
Software Development Life Cycle (SDLC) is typically a framework for building an application end to end, starting with different phases from requirements gathering to deployment and maintenance, as shown in the below image.
Organizations have adopted various models from the waterfall, iterative to Agile, and much more overtime to have a phase-wise approach to build a robust application. One crucial component was not considered secure, which led to the added protection at each phase to ensure security is addressed at all stages of the software development lifecycle.
The above image shows the impact of the cost shooting up multi-fold when fixing bugs post-release, emphasizing the "Shift Left" security approach referring to moving security earlier in the development process. With the developers acting as the first line of defense, educating them on writing code in a secure fashion dramatically reduces the application development cost in the long run.
Secure Software Development Life Cycle (Secure SDLC)
Sumeru's Secure SDLC uses one of the most common and popular Secure SDLC frameworks from Microsoft and customizes it based on the needs of the start-up.
Security training is a critical component in this process and has to be ongoing and involve everyone who is part of the process, from architects, developers, testers, etc. Architects can carry out Threat Modeling at the design stage, which helps determine the risk early on and design security features for the product. It is also essential to performing source code reviews as well as penetration tests to identify any possible vulnerabilities post development
Some standard tools used are
Now, let's briefly look at DevSecOps and how, as a start-up, you should move along.
Recommended by LinkedIn
DevSecOps
With a swiftly moving development, DevOps has become the go-to tool for the needed speed, and start-ups operate DevOps pipelines with various integrations to meet the required speed and scale with multiple commits a day. It is essential to adopt the "Shift Left" concerning principal security, where security is moved from post-release to very early in the life cycle to address security issues more efficiently.
DevSecOps Advantage
To keep up with development speed, security needs to scale up and is often seen as a roadblock and usually prioritized if it is "urgent and important" in a fast-moving start-up world.
To fix this gap, DevSecOps has evolved as a cultural shift where security is not seen as a separate function but a well-integrated responsibility of Devs and Ops Team.
Tools Selection
Being a start-up, if you are tight on budgets, there are ample options that open-source tools provide. Still, it's a trade-off as support might be restricted to community forums, high false positives, and with limited bandwidth, it requires careful planning in using open-source tools.
Use the tools that allow customization, provide APIs and command-line options, produce lesser false positives, support containers, and produce consumable results.
Sumeru's approach
A typical DevSecOps engagement for start-ups begins with studying the current DevOps model, then designing a clear DevSecops plan that evaluates the nature of business, resources in hand, budget limitations, and technical requirements.
Sumeru considers the contemporary security culture in your organization and supports the start-up team to scale to required security understanding and methodically introduce security tools in the pipeline. Some pilot pipelines are run, and work is done to finetune the tools and minimize false positives.
A security champion is created among the team who can drive DevSecOps with the support of all team members and then hands over the baton to the start-up team to take it forward.
To sum up
Written by:
Chidhanandham Arunachalam, Chief Program Officer at Sumeru Solutions. A passionate entrepreneurial leader & unshakable optimist dedicated to helping companies achieve remarkable results with great technology solutions.
This article is the sixth of our series on 'Secure Your Start-ups'. To get updated about the remaining articles of the series, please follow #sumerusecureyourstartup
Empowering Brands Online | Social Media Strategist | Meta Ads That Deliver Growth
3yWhat exactly is 'Threat Modelling', Mr. Chidhanandham Arunachalam ?