E R T N
P
X
E INIO
OP
For people to truly care about making
security a priority, organisations must
integrate security into the ways in which
development teams and engineers are
incentivised. We should be providing
developers with simple cues to
encourage the right behaviour, but this
has to be realistic. Very few software
applications will ever reach zero
security defects, nor would that even
be a good use of company resources to
achieve this.
First, we should agree what the security
standards are for the team. Next, we
classify those security bugs that are the
highest priority, those that are important
but not showstoppers, and those which,
while not ideal are acceptable to exist.
Especially for the first two categories,
we should track the average time to
fix a security bug. Once a baseline is
established we need to negotiate targets
so that engineers and product owners
can buy-in. These metrics may ultimately
help to determine compensation, but
perhaps initially are linked to softer
benefits for the team.
As businesses, we are trying to sell
more products at a higher margin than
our competitors do, so one way to
differentiate is by leveraging security
as a strength. If an organisation and
its developers can work together to
create, and stick to, these accountability
This year, we’ll
see companies
looking at ways to
incentivise best-
practice security
at every point in
the software
delivery process.
42
measures, security will
improve, in turn creating a
competitive advantage.
Developers will try
to find the balance
between security
and innovation
One billion Docker images
are downloaded every two
weeks. This is empowering
developers to have control
over how their code is
deployed in target systems,
helping organisations scale
far faster and ensure fidelity
of thought is maintained.
Containers are enablers,
but as of today, they do
not adequately address
security issues.
With containerisation now
considered the standard
when creating code, there
is a greater need to ensure
security is a core part of the
process going forward, especially as
the technology continues to grow,
making it an increasingly lucrative
target for cybercriminals.
There is a paradigm shift taking place
and the rules are being made up as
we go along. A lot more research
and innovation needs to happen on a
security level to empower developers,
while giving them the tools necessary
to do their job securely. This year, all
organisations using containers need
to make sure they are secure without
stifling innovation.
DevSecOps will be key to
clearing software flaws
In organisations, development teams
are being asked to take ownership
of integrating security earlier in the
software development life cycle.
Likewise, security teams are more
actively engaging on the development
side and there is less friction between
the two than in the past.
Organisations are looking at DevSecOps
as a way to address the complexities
of managing and securing cloud-native
applications. Building understanding and
cooperation between development and
security teams, while also automating
testing, can help organisations address
security earlier in the development
process while also creating secure code.
Developers will select
security tools which take less
than 10 minutes to run in a
development pipeline
DevOps teams that are able to integrate
security testing into their development
pipelines are twice as confident in
their security than those that don’t
automate security tests. As engineers
look to automate tests in the integration
pipeline, those tools which complete in
Issue 23
|
www.intelligentciso.com