E R T N
P
X
E INIO
OP
need software to be deployable,
and increasingly, not to have to
worry about how that will happen.
‘Infrastructure-as-code’ takes
care of that, by ensuring that the
configuration of how software gets
run, just happens without humans
needing to execute manual steps
to bring services up. This principle
can apply to anything, including
application security.
This year, performant DevOps teams
will ensure that Security-as-code,
is a design feature. Security tests
will be written into the configuration
of how software is checked (and
increasingly patched) before
deployment will be standard.
Supply chain security
needs to be brought into
the next decade
a short space of time will be selected
as a priority. Typically, this will mean
that results are expected back within 10
minutes and accuracy is paramount.
Noisy, lengthy security tests will either
not go into pipelines or will be kicked
out of the automation process.
Cloud-native technologies will
become the de facto choice
for development teams –
organisations will need to
prioritise security
There has never been a better time to
work in software than now. Developers
are presented with an abundance of
choice when designing and creating
software applications. Systems of
the past were designed as monoliths.
Having core logic tightly bound to a
huge blob of software is today seen
as an anti-pattern for stability and
development velocity.
www.intelligentciso.com
|
Issue 23
Overwhelmingly, developers are choosing
architectures that allow failure to happen
in one part of the system, without having
an impact on the remaining system.
Microservices, containers, orchestrators,
services meshes and serverless
computing are all enabling technologies
that are allowing developers to achieve
greater velocity. This, however, brings a
security challenge.
A 2019 survey found that 35% of
respondents had a lack of understanding
of how to deal with the attack vectors
specifically relating to cloud-native
applications. Interestingly, 33% admitted
that their development teams don’t
involve cybersecurity experts for fear of
being slowed down.
‘Everything-as-code’ (EAC)
will include security
Everything needs to be code, but
that’s not always the case today. We
Supply chains are becoming more
complex and with this complexity
comes more opportunity for
cybercriminals to cause chaos.
Research shows that third-party
software has more vulnerabilities than
internally developed software. The people
that care about the security of a particular
software are more often than not the ones
using it, not the ones creating it.
With developers releasing updates far
more frequently, as well as leveraging
different open source code or software
from multiple parties, organisations need
to ensure they have the full picture of the
code they are using at all times.
Third-party penetration tests no longer
work for the modern development cycle
– which is now often daily rather than
every few months. It is the organisation’s
job to make sure certain standards
are upheld so security can be ensured
throughout the supply chain in real-time.
The focus this year should be on making
security part of an organisation’s
competitive advantage and this should
start with the supply chain. u
43