Modern development - Synopsys: The convergence of speed & security
This series is devoted to examining the leading trends that go towards defining the shape of modern software application development.
As we have initially discussed here, with so many new platform-level changes now playing out across the technology landscape, how should we think about the cloud-native, open-compliant, mobile-first, Agile-enriched, AI-fuelled, bot-filled world of coding and how do these forces now come together to create the new world of modern programming?
This contribution comes from Jonathan Knudsen, senior security strategist at Synopsys.
Knudsen writes as follows…
Modern software development focuses on speed and security, the convergence of two overall trends in the industry. First, software creation processes are evolving to optimise time to market. Second, organisations of all kinds are realising that software security represents very tangible risks to operational continuity, revenue, reputation, and more.
Building software is like building a bridge.
You try to figure out where people want to go, then you design and build a bridge to get there. The two hazards are (1) you were wrong about where people wanted to go or (2) you were too slow in building your bridge. In either case, it doesn’t matter how well you built the bridge; people will not use it.
Software is the same way. If you misjudge your market, or it takes you too long to get a product to market, it will be irrelevant. Organisations have learned the hard way that they need to be more nimble in creating software and more responsive to changing needs of customers over time. This is the force driving increased velocity of Agile and DevOps.
Cornerstones of DevOp
Interestingly, in a DevOps environment, developers perform much the same work as before, with much the same individual productivity. It is the process surrounding the developers that has changed, enabling organisations to deliver software and incremental features at greatly increased frequency. Cornerstones of DevOps are automation and integration, leveraging software tools and processes to maximise frequency of delivery of developers’ work to customers.
In tandem with this focus on velocity, organisations building software are recognising that software created without an overall emphasis on security is unacceptably risky. Software nowadays is critical infrastructure for modern society, a kind of proto-infrastructure that underlies healthcare, transportation, financial services, and other traditional sectors.
Software failures have consequences that range from irritating to catastrophic, demonstrated by the ongoing parade of software security headlines.
The Secure Development Life Cycle (SDLC) ensures that software is built with an eye toward security at every phase. This means software built using an SDLC will be safer, more secure, and more resilient. In business terms, this means lower risk.
Into the SDLC
In the design phase of the SDLC, software architects use threat modeling to look at the proposed software with an attacker’s mindset. The purpose is to identify potential problems and add security controls like authentication and encryption to mitigate possible attacks.
During implementation, security tools such as static analysis are integrated into the development pipeline to provide feedback to developers about vulnerabilities, which can then be fixed prior to releasing the software. Software composition analysis (SCA) can also be integrated into the pipeline, providing developers with information about risks associated with third-party open source code. A variety of dynamic testing should also be integrated with the SDLC, including fuzz testing and web application security scanners.
Interestingly, in an SDLC, developers perform much the same work as before.
The process surrounding them includes an emphasis on security and concrete feedback on security vulnerabilities, which helps developers fix problems in the software before it is released. Over time, this feedback helps them write more secure code, which increases the efficiency of an already streamlined DevOps process.
A harmonious mashup
The convergence of speed and security in software development is often labeled DevSecOps. It is the latest signpost in the rapid evolution of software development methodologies, a harmonious mashup of short-term business advantage coupled with long-term risk reduction. In the short term, organisations can reap the benefits of delivering new software and new features quickly. In the long term, organisations have reduced risk of software failure, unhappy customers, legal liability, or reputational damage.
By combining frequent releases of incremental software development with an unflagging attention to security, organisations of all kinds enjoy business benefits that will allow them to thrive.
Knudsen: go fast, but go secure (Image Source: Synopsys)