Intelligent CISO Issue 23 | Page 42

E R T N P X E INIO OP For people to truly care about making security a priority, organisations must integrate security into the ways in which development teams and engineers are incentivised. We should be providing developers with simple cues to encourage the right behaviour, but this has to be realistic. Very few software applications will ever reach zero security defects, nor would that even be a good use of company resources to achieve this. First, we should agree what the security standards are for the team. Next, we classify those security bugs that are the highest priority, those that are important but not showstoppers, and those which, while not ideal are acceptable to exist. Especially for the first two categories, we should track the average time to fix a security bug. Once a baseline is established we need to negotiate targets so that engineers and product owners can buy-in. These metrics may ultimately help to determine compensation, but perhaps initially are linked to softer benefits for the team. As businesses, we are trying to sell more products at a higher margin than our competitors do, so one way to differentiate is by leveraging security as a strength. If an organisation and its developers can work together to create, and stick to, these accountability This year, we’ll see companies looking at ways to incentivise best- practice security at every point in the software delivery process. 42 measures, security will improve, in turn creating a competitive advantage. Developers will try to find the balance between security and innovation One billion Docker images are downloaded every two weeks. This is empowering developers to have control over how their code is deployed in target systems, helping organisations scale far faster and ensure fidelity of thought is maintained. Containers are enablers, but as of today, they do not adequately address security issues. With containerisation now considered the standard when creating code, there is a greater need to ensure security is a core part of the process going forward, especially as the technology continues to grow, making it an increasingly lucrative target for cybercriminals. There is a paradigm shift taking place and the rules are being made up as we go along. A lot more research and innovation needs to happen on a security level to empower developers, while giving them the tools necessary to do their job securely. This year, all organisations using containers need to make sure they are secure without stifling innovation. DevSecOps will be key to clearing software flaws In organisations, development teams are being asked to take ownership of integrating security earlier in the software development life cycle. Likewise, security teams are more actively engaging on the development side and there is less friction between the two than in the past. Organisations are looking at DevSecOps as a way to address the complexities of managing and securing cloud-native applications. Building understanding and cooperation between development and security teams, while also automating testing, can help organisations address security earlier in the development process while also creating secure code. Developers will select security tools which take less than 10 minutes to run in a development pipeline DevOps teams that are able to integrate security testing into their development pipelines are twice as confident in their security than those that don’t automate security tests. As engineers look to automate tests in the integration pipeline, those tools which complete in Issue 23 | www.intelligentciso.com