Article by Stefania Chaplin, solutions architect, GitLab
As the world becomes increasingly digital, a new approach to software security that leads to better applications, enhanced collaboration and improved performance, has become mission critical.
Why now? Software underpins every aspect of modern life, resulting in almost every organisation becoming a software company.
For example, an airplane has close to 15 million lines of code and a modern car over 100 million.
These huge volumes of code mean that the traditional route of a team of developers writing every line of every program is no longer viable. A far quicker and more cost effective approach is developers stitching together reusable libraries of code, often called components.
New routes usually create new challenges. An increased reliance on software for almost all operational activities means that the security aspects of software development take on a far greater importance.
Regrettably, security is often an afterthought or added at the end of development. So what happens when things go wrong?
Poor software development processes can cause delays, failures or worse, such as product recall, fines and loss of brand reputation.
Buggy software can result in ransomware, stolen data, crypto-mining and fraud. It’s a long, potentially career-damaging list.
What can business leaders and managers do to avoid these negative outcomes, gain competitive advantage for the business and possibly boost their own promotion prospects?
- Make an effort to understand the principles underlying best practices in software security development – usually referred to as DevSecOps. These help reduce costs, catch vulnerabilities fast, reduce rework, improve software delivery and enhance organisational performance.
- Develop close relations with your technical team leaders, and ask them to explain the purpose, processes and control of their key projects with minimal use of jargon.
- Set clear goals and milestones for each development project in consultation with the technical team and end users.
- Use a reporting system to identify and correct emerging issues, allowing collaboration between teams.
- When things go wrong (and they will), treat failure as an opportunity to learn lessons and make improvements. Create a culture of psychological safety and schedule a debrief to analyse what went wrong and what can be done to improve the system. This will prevent the same failure happening again, improving efficiency and organisational performance.
If a business manager or leader wants to become more involved in the technical process, these are typical security questions that could be asked of a technical team:
- What is the DevOps platform?
- What is the software creation and deployment process?
- Is security scanning automated throughout the development process?
- How much time is needed to patch typical vulnerabilities?
- What is the mean time to recovery when there is a failure? (MTTR)
Avoid asking a technical question but failing to understand the response. If in doubt, consult a security expert and work with them. For those interested in learning more, I am working with organisations staging exciting education events, adopting DevSecOps to reduce risk, improve software delivery, boost organisational performance and outperform competitors.
About the author
Stefania’s (aka DevStefOps) experience as a Solutions Architect within DevSecOps, Security Awareness and Software Supply Chain Management means she’s helped countless organisations understand and implement security throughout their software development lifecycle (SDLC). As a Python developer at heart, Stefania enjoys optimising and improving operational efficiency by scripting, automating and creating integrations. She is a member of OWASP DevSlop, hosting their technical shows. When not at a computer, Stefania enjoys surfing, yoga and looking after all her tropical plants.
