Implementing a Secure Software Development Life Cycle — Part 3
Challenges
Implementing change in an organization is never easy, especially when you give people more work to do, there is usually some resistance and adaptation process that need to happen before you can feel the paybacks. But change is inevitable, at the end, the way we face the challenges and adapt to the change is what will either make us stronger or finish us.
Selling the Idea to Upper Management
Besides the technical challenges a security professional has to deal with every day, one of the hardest challenges to face is to sell the security initiatives to the upper management, and this is not necessary because they would not understand how IT security works but instead because of the fact that you have to back your initiatives with numbers and usually provide a plan for return of investment.
In security, the return of investment is trickier as it does not provide increased revenues like a typical financial investment, instead it should provide savings during security events, which don’t usually follow a particular patter to occur and that makes it harder to know how much your security stuff has improved it or if it was that you simply haven’t got hit hard yet. In any case, when selling your security projects, you should focus on the preservation of capital and assets that the cybersecurity investment will provide and not on the revenue or loss involved.
Changing the Culture of the Organization
An important aspect of investing in security, is that the security tools and processes by themselves are nothing without the people, even if you have the best security product or the most efficient secure development process, if the people is not fully engaged, you will not get much out of it. So here is where the challenge comes, making the people to feel the ownership of a new secure development process is not an easy thing to achieve, at first, the resistance to the change will be considerable but the best way to address it is to start by implementing a good security training and awareness program, to let the people understand that security is not responsibility only of the IT Security team but instead it should be shared throughout the whole organization.
Another good selling point for developers is the fact that if you have a well-developed and mature secure development process the number of defects should decrease, which in turn will let the developers to focus on what they like the most, coding new features and not fixing defects.
Keeping up with the Constant Change
Investing in a secure development process is a non-stopping process, new security challenges come up every day so you will need to keep up and adapt your procedures in a cyclic way. In fact, it may imply a drastic change in the way you do software development as well, considering that technology every time comes with a shorter lifetime since the new version or model comes within months and the older versions become obsolete, in software development happens the same, languages and coding methodologies change very often and some times you need to replace your software products with brand new ones.
In technology as in life, the only constant is change, so you have to make this your way of living, not just in the professional area but in the personal environment as well, acknowledging this will open your mind and will help you to adapt faster and better.
Conclusion
Implementing a Secure Software Development Life Cycle in an organization is a challenging process that requires to break many paradigms and bother too many people, but after evaluating the risks and consequences of not taking action we are certain that this is the right thing to do. Although the particular scope and implementation plan will vary from organization to organization, it is clear that the first step to take is to educate your people and make them aware of the risks, this way you will be able to share the sense of ownership and make everybody mindful of the security impacts of every of their actions, from understanding the risk involved in opening an untrusted link to implementing specific lines of code in your software.
It is important to understand that this is going to be a long and complex process, so you have to start small and keep evolving step by step until achieving a mature state. However, reaching a mature state doesn’t mean the work is done, security is a matter of constant adaptation to the ever-changing environment, so it is vital to keep that adaptation piece as part of your processes and understand that this is a new way of approaching technology.
Thanks for reaching this far, I hope you have enjoyed this article and I could have provided you with some valuable information. Please let me know if you have any questions or comments and good luck in your secure development journey.
Carlos Bocanegra
References
· The Security Development Lifecycle, Michael Howard and Steve Lipner, 2006
· Building Secure and Reliable Systems, Heather Adkins, 2020
· Secure Software Development Lifecycle — Devoxx MA 2018
· A Step-by-Step Guide to Secure Software Development
· Code Complete, Steve McConnell, 2004
· 2019 cost of a Data Breach Report, IBM
· What is the Cost of a Data Breach in 2020?
· The Origin of the Quote “There Are Two Types of Companies” — Tao Security
· How to calculate your return on security investments, Isaac Kohen — CSO
