Ship Software with Confidence: Security by Design in Practice

This material was originally presented by Beatriz Acosta at ISC2 2023 Security Congress as a Learning Bytes Session in October 2023 as “Ship with Confidence: Secure Software by Design”

Speed to market is crucial for technology manufacturers and any organization involved in software development. However, this rush to deliver often overlooks a critical component: security. Beatriz Acosta, an experienced Application Security leader with Security Compass, addresses the importance of integrating security earlier in the software development lifecycle to ensure that applications are not only innovative and functional but also secure by design.

The High Costs of Traditional Security Approaches

Application security teams face numerous challenges undermining their confidence in shipping secure software. Traditional security measures, such as manual threat modeling and reactive security testing, are not only time-consuming but also costly. It can take over 40 hours to perform a single threat model and an average of 149 days to fix a critical issue. This inefficiency is exacerbated by the insufficient ratio of Application Security (AppSec) experts to developers, which stands at 1:100, making it nearly impossible to scale security measures effectively.

Manual Processes: A Roadblock to Efficiency

The reliance on manual processes for threat modeling and secure development significantly delays the software development lifecycle. From initial meetings and whiteboards to manual analysis and threat countermeasure identification, each step is fraught with inefficiencies, inconsistencies, and a lack of integration with other development tools. This approach not only increases the time to market but also leaves applications vulnerable to security threats.

The Cost of Rework and Lack of Developer Engagement

A study by Jones Capers reveals the exponential increase in the cost of fixing vulnerabilities post-deployment, highlighting the inefficiencies of addressing security issues late in the development process. Moreover, 74% of developers engage with security only after the design phase, often lacking the necessary training and tools. This disconnect underscores the need for a shift in perspective, where security is integrated from the beginning of the development process.

Embracing a Security by Design Culture

To overcome these challenges, organizations can adopt a Security by Design culture. This approach involves embedding security considerations into every phase of the software development lifecycle, from planning and design to deployment and maintenance. By doing so, organizations can ensure that security is not an afterthought but a foundational element of software development.

Planning for Security by Design

Implementing a Security by Design culture requires a comprehensive framework that includes educating development teams, embedding a depth of security knowledge, and empowering teams with the tools and processes to integrate security seamlessly into their workflows. Successful organizations have demonstrated that executive sponsorship, culture change, and the right tooling are critical factors in achieving security by design.

Real-World Success Stories, Security by Design in Practice

Security Compass has enabled organizations to put Security by Design in practice and shift their security culture.

• A Fortune 500 Global Manufacturing Leader achieved 200% of their Application Security Training Targets, deployed an incentivized security champions belt program using Security Compass content, and threat modeled 130% of targeted applications on SD Elements.
• A Fortune 500 Government Technology Leader enacted a 3-year plan to roll out their Security by Design vision. In Year 1, they achieved all of their Application Security Training enrolment targets and trained 200% of targeted candidates for their Security Champions program. In Year 2, they tracked to double their AppSec training enrolments AND threat modeled 100% of their targeted applications on SD Elements. In Year 3, they are tracking to enroll 95% of their total development organization.
• A Smart Homes and Systems Brand localized their Application Security Training and Security Champions Content Library with support from Security Compass. They also achieved their target of training and enabling 1 Security Champion per development team embedding the champions that enabled the company to onboard 88% of their in-house applications threat modeled on SD Elements.

Common markers for their success were:

• Deploying Security Training that was sticky. Their dev organizations were engaged with the content, it was relevant to what they needed to do (their roles and their functions, just enough) and it was reinforced with contextual training within their threat modeling platform (just in time).
• They were committed to changing their culture and doing security differently. With that readiness to make a change, they were ready to succeed with the shift and sustain a Security by Design culture.
• Culture change requires champions among peers. There needed to be active bearers and leaders of that culture and with designated, nominated and committed security champions, bearing and building a new culture of security by design was a smoother and more successful process.
• Executive sponsorship means security by design was a business priority. All these organizations had their top leaders’ confidence in the security by design initiative making it more likely to stick and be supported by the rest of the organization.
• Having the right tools at an organization’s disposal makes the change real and the success more attainable. Teams were equipped with the right platform and were supported by processes that work and can scale.

How to Start with Security by Design

For organizations looking to embark on this journey, Beatriz offers practical tips:

1.    Educate yourself on your security needs and available training options.
2.    Embed passionate self-starters trained in security within your teams.
3.    Empower your leaders and influencers to prioritize security as a shared goal.

By taking these steps, organizations can build the confidence to ship software that is secure by design.

Conclusion

The journey towards implementing security by design is multifaceted, involving a shift in culture, processes, and technology. However, the benefits of such an approach, including reduced risk, faster time to market, and enhanced security, are invaluable. Security Compass is dedicated to guiding organizations through this transformation, ensuring that they can ship with confidence.

Interested in learning more about how to implement Security by Design in your organization? Contact us to explore how our solutions can empower your team to build secure software from the ground up.