Recently Darryl Taft at eWeek released a slidedeck based upon Mark Troester’s article, “Application security needs to be redefined to stay relevant“. The first assertion in the list, Agile / DevOps is the new game, confirms what I have seen over the past six months through interviews and conversations at conferences and events.
DevOps, through the idea of Agile and continuous delivery, continues to move application security closer to the beginning of the development life cycle as opposed to the end of the cycle, with most of the burden left to operations. Gary McGraw, CTO of Cigital, refers to this as “moving left”, imagining a chain or process of events where you continual try to move security management closer and closer to the beginning of the development cycle so that it is built into the environment as an integral part of the process.
This ties in directly to #4 on Troester’s list: Security from the start needs to be a reality. With the speed of development, with the trends to deliver multiple builds per day, security can no longer be thought of as an add-on process as part of the production build. It must be part of the application itself.
A third part of the message, Approval based mechanisms will fail, enforces the idea that automation is now a mandatory part of security implementation. With the continuing growth of the use of open source components as the building blocks of most java based applications, it has become impossible to track the internal usage and maintain security of those components over time without an automated process.
Flip through the slidedeck for the complete list of ten reasons to consider changing application security processes. The earlier we can get a handle on the change, the better.