Balancing secure and innovative software delivery
Thu 21 Nov 2019 | Ben Ross
Solid software development principles drive good security outcomes
In a world where one data breach is all it takes to destroy a business, only the prepared and vigilant ones that embrace security in their operations will survive.
Yet, for many organisations, successfully integrating security into the software delivery lifecycle is still a huge obstacle. As illustrated in this year’s Puppet’s State of DevOps Report, which revealed that only 22 percent of companies at the highest level of security integration have reached an advanced stage of DevOps maturity. Delivering innovation shouldn’t result in the need to compete head-to-head with safeguarding customer data.
While there is a myriad of security practices and solutions in the market, why is it so hard to integrate security into software development?
The balancing act: security and innovation
The truth is simple – feature delivery does not need to be at odds with safeguarding customer data. While short-term gains can be achieved by prioritising feature delivery speed over security, the long-term impact on the business can be quite damaging and potentially irreversible.
In non-production environments, security and compliance challenges are magnified as the number of data instances and internal users grow. In a world where companies are harnessing data and software to power their businesses, the vast majority of data breaches happen when data used for testing is copied out of production. That’s where a method like data masking can help protect data by obfuscating it into values that are anonymised but retain referential integrity to perform meaningful software testing and derive smarter insights.
Securing all software environments in both non-production and production systems can prevent anyone in the organisation from accessing and exposing personal data in the first place.
To be on the forefront of today’s digital era, IT leaders must integrate security into their innovation workflow to safeguard sensitive data from external and internal threats.
Embedding security into DevOps
Good software development principles drive good security outcomes. Improving security isn’t just about moving practices to an earlier phase of the software lifecycle—it’s about adopting a new way of working that emphasises cross-team collaboration and automation for easier and iterative implementation.
Adopting DevOps principles improves reliability, predictability, measurability, and observability in enterprise application deployments, which in turn, leads to more secure environments. While it’s not always easy to anticipate risk and threats, being able to adopt efficient and reliable security practices into the software development lifecycle can help companies recognise and react to threats more effectively.
As more and more organisations adopt agile development practices, they’re also recognising the need for fast data delivery in their delivery pipeline. Global companies are increasingly turning to DataOps, a practice that focuses on the end-to-end delivery of data. Similar to DevOps, DataOps is centred around the strategic use of data, and in today’s world where every company is becoming a data company, data management is just as critical for businesses as software development.
Reaping the rewards of an integrated approach
Integrating security into software delivery is hard and messy. Most people see security as a bottleneck that causes delays and frustration. The pressure to deploy a feature often leads to compromises that create risk for the business, and development teams may decide to release a product with an unresolved security issue, which opens up the code to vulnerabilities.
Fostering the culture of shared responsibility around security is critical. When organisations create harmony of high-trust environments, automation, and cross-functional collaboration between developers, testers, and operations, companies can mature in their DevOps journey and deliver applications that minimise exposure to risks.
Companies who are serious about improving their security need to adopt DevOps and better data management practices like DataOps to integrate security into every part of the software delivery lifecycle.
- Photo Credit: freepik