A window into Secure Development Life Cycle Programs
Writing code is easy, managing the Threats and Risks across the Application Life Cycle is more difficult. Behind every Business App, there is a Development Workload to design, build, deploy, operate and support the App, and its Business Workload.
As the Threat, Risk and Consequences of Information Security Incidents multiply, so does the importance of ensuring that Software Development Workloads are structured to address today's issues and tomorrow's unknowns.
A Secure SDLC program works to ensure that software, systems and cloud services are designed, built, deployed and operated with Security in Mind. A Secure SDLC program is built on one or more Business App Workloads. The Development aspects of the Business App Workload includes: People, Process, Technology, Assets, Automation, along with an expression of Risk Tolerance from the stakeholders and sponsoring organization.
From the graphic below, three important characteristics of a solid Secure SDLC program are:
- Program is aligned with Business Goals
- Investments and Timelines are right sized for the organization
- Teams are enabled for success
It may take months or years for a secure SDLC program to reach a steady state, and there is constant risk of program disruption from internal and external influences.
Examples of disruptors are: organizational shift, change in development platform or programming models, dynamics of the Open Source Supply Chain, unguided adoption of Agile, DevOps and Continuous Delivery styles of Development, alignment of practices with external security standards, etc.
The ultimate key to success for a Secure SDLC Program is long term goal setting, good instrumentation and measurement, continuous improvement and executive support.