Security in the last years was mostly focused on infrastructure protection, but application security has slowly grown in relevance and will likely continue to do so. Applications play a growing role for businesses and application specific security programs are often not yet in place. What Microsoft started with an SDL - a secure development lifecycle - has not been implemented nor is it easily transferable into the modern world of agile methodologies, DevOps and increased deployment speed.
Recently I gave a talk at the University of Applied Science in Augsburg where I briefly talked about challenges for modern secure software development in times of DevOps and Agile Development. The problems in securing modern software pipelines are manifold - mostly caused by a lack of time and resources for the security team, especially the usually very small number of team members familiar with application security, while rapidly shortening the time for creating a release. We are experiencing that companies who previously released every 6 months or less, now release every 2-4 weeks or even multiple times a day, while the big DevOps champions like Netflix already master thousands of deployments per day.
This requires a security strategy which enables security teams to work together with other teams that usually have more resources (and are hopefully either willing or required to cooperate), set their focus accordingly, work with automation to overcome the need for manual and therefore slow interaction and in general enable development teams to produce secure software by default. The goal of this strategy is, of course, to make software delivered by the development teams more secure and have less vulnerabilities in production - but do so with only a minimal impact on deployment times, low fixing costs and without too much compromise regarding the security baseline.
The slides of my talk - which lay out some ideas of how to achieve this - are available here. We are going to publish more details on modern SSDLC implementation in the next weeks, but for now we are releasing the slides.
