​Is your shop Secure by Design?

In a recent coffee chat with Jeff Jacobs CISO at IAG he talked about how, their team was making inroads into being ‘Secure by Design’. We reflected on how that advanced thinking re-positioned IT Security into being part of the process and not a milestone to tick.

Jeff went on to explain how his team was involved in all the agile scrum standups as a regular team member. While clearly this created added pressure around resource allocation, you can easily see the benefits of being involved early.

In contrast, where is your shop?

Applying an Agile Framework

In most enterprises there is an increasing focus on using an agile approach to deliver software. The basis of agile is that we build software using an iterative approach, instead of the normal ‘waterfall’ method. During this switch it has been the norm that the actual approach to managing security has not adjusted to this new reality.

The velocity of delivery has fundamentally changed and at the back end, just prior to ‘going live’ there has been pen testing and security review. Clearly this is better than doing nothing, but is not going to be the ideal approach.

Invariably some vulnerabilities and issues will be uncovered and this leaves the business product owner having to either accept a risk or the developer an additional task to figure out if there is a viable workaround. No-one wins and the CISO is the big bad wolf, who doesn’t understand the importance of this business initiative and is getting in the way of progress.

Building Security into the process

The alternative is that we build security into the application and not around the technology. By definition, agile is about being able to morph and change one’s approach – thus this means we have to apply security principles into the actual build process.

This means that stories that are developed as part of the agile process to depict “a day in the life of”, will by default build-in security controls. It places a responsibility for the developers working on user stories to understand the overarching security requirements of the new system.

Taking a practical example this would mean that the software engineer would need to consider all the new components and integration points, including any new cloud technologies. What else does it take to achieve this goal?

Read more: ​Microsoft builds custom Windows 10 sanctioned by Chinese government

Coders are accountable to write “secure code”

Firstly take the onus off the CISO and the security team, instead change the focus so that security is part of the deliverable and the developers are expected to write ‘secure code’. This means that it is no longer acceptable for a software engineer to say that Personal Information, PCI etc is someone else’s responsibility.

Therefore any new software routines needs to be built with security in mind – both secure at rest and in transit.

CISO or delegate are part of the project

Essentially this means you must have a “security expert” on every project. This person is on the team from day 1 and provides a security lense and hopefully is also engaged for their broader business expertise as well.

The advantage is that you bring to bear the security experience to the table and it will ensure that the user stories are robust and include security requirements. This also means that proactively the knowledge of current vulnerabilities and any new potential ones is understood and factored into the new design.

Specifically, there can be attention to security sensitive aspects in relevant user stories. This will include authentication, data entry and manipulation.

Security Testing by pieces

Agile development is iterative by nature and not end-to-end. On the other hand IT security requires a more complete holistic review. Thus integral to this is usually to get evidence of regression and test automation.

The Security professional will be seeking that there is a good validation of the design and a comprehensive review of controls. Thus even with the involvement of security from day 1 it is still going to be a challenge to take the pieces and understand the total picture.

However the critical element is that once a new vulnerability is understood, then an automated test can be developed to ensure that this is never repeated.

A Persona covers all needs

To be ‘secure by design’, means that the customers that we are designing for include the ‘persona’ that one would expect for the new system. In agile development these personas are used as proxies for the customer. By definition a persona is:

“archetypical user of a system, an example of the kind of person who would interact with it” [1]

The customer experience is what every enterprise is striving for. A great or at least good experience and it’s hard to think about a user that would realistically want the system to be insecure by design.

[1] http://www.agilemodeling.com/artifacts/personas.htm#sthash.NW0p1r4Y.dpuf

Join the CSO newsletter!

Error: Please check your email address.

Tags VulnerabilitiesIAGAgile FrameworkCISOIT SecurityDavid GeeCSO AustraliaSecure by Design

More about AgileIAGIT SecurityPersona

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Gee

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts