Security in software development: from an afterthought to a primary concern

In which stage should we talk security in a software development cycle? I would have loved to say it’s a question I hear more often. But no.?

Before cloud-native happens, several teams were often developing software products through sequential work. So the life cycle was a linear process:

→ developing the software iteratively on a infrastructure

→ QA & product manager validated the correctness and user acceptance

→ the information security team tested for security and compliance matters

→ the IT team configured the infrastructure and the software was deployed to production

This was the kind of process that took months and security and privacy concerns were handled outside this cycle.?

Today’s process are anything but easy. Deployment happens much faster, but the attack surface of an application is much greater. Today, developers can import new libraries with a few lines of code and deploy it to a production container in minutes. It’s been made significant improvements in the software industry’s ability to deliver quality software quickly.?

Yet, the security concerns are still in the queue. When a concern is part of the SDLC, it becomes part of every step. The more concerns the team can understand, the less work has to be done to correct after the code has been deployed.?

As much we like the cloud-native stacks, the complexity of the new infrastructure forces us to bring to the table the security concerns from the very beginning of a software project.?

The challenges??

Security considerations on legacy systems were simpler, and today every piece of application and the SDLC happens in a cloud environment. Not only the production, but also, testing - that requires a bit more room. Which makes it impossible to secure a system that can be easily changed by an open source library and an integration code.?

How to approach security since it has never been a primary concern?

Looking at security threats from a development perspective, from a code-level concern. Once the team (business and software development) sets this concern as first-class matter, you’ll end up with a safer product with less development efforts.?

For a developer, security requires extra work to be checked:

→ make sure the code is secure and written to specs

→ how does the communication between containers looks like?

→ how do APIs look like for various systems?

→ minimizing the infrastructure’s software attack surface

→ what external APIs am I consuming?

→ can we shape the communication patterns in a map or a sequence diagram?