Skip to main content

Software delivery management: bridging the gap between CISO and engineering

Software
(Image credit: Image source: Shutterstock/TechnoVectors)

Every company is now a software company. As such, increasingly more stakeholders are involved in the software delivery process where everyone is responsible for the code and data security. This evolution means the Chief Information Security Officer’s (CISO) team partners directly with the software engineering team (among others) to enable a culture built on the principles of security by design principle.

While the CISO team owns the security enablement policies and controls, they need to partner with other stakeholders in the company to implement policies, guidelines, standards and best practices. The buy-in of standard best practices that drive the security and quality of the software delivered helps the entire IT organization improve security policies to avoid any known issues and challenges along the way.

The collaboration between the CISO and software engineering team must ensure there are hardened security guardrails in place to validate and make sure both teams are following the policies as part of their own processes. This makes it easier for the entire organization to pass software audits and complete security posture assessments. It also creates a comfort zone for customers knowing that the company is following the proper security guidelines and that their data and information is secure.

Software delivery management, therefore, is a combination of the CISO and the engineering practices of DevOps/IT Ops, and must take into account the company's needs as it transitions applications to the cloud. The following concepts will help security and IT leaders address future challenges and ultimately enable high-performing teams to bake security standards into software delivery.

Transition to the cloud

In the past, engineering teams used to develop software-based management tools inside the data center and deploy them directly into production servers. This is traditionally done in a more of tool-based fashion. But when organizations move applications to the cloud, it's hard to control the underlying hardware, underlying software, security tools and techniques across each step in the software delivery lifecycle.

It's easy to migrate to the cloud, but at the same time, it's hard to secure the software delivery management process in general. To facilitate this successfully, customers have to think in terms of security by design. In other words, IT leadership should not be thinking about security after the fact. The biggest problem is that organizations are trying to "lift and shift" the workloads from on-prem environments to the cloud by keeping the old security process and controls in place. By doing this, they are not able to leverage the cloud-native security tools or technologies effectively.

For example, when a new project is beginning, security approvals are needed along the way. A centralized security team must be involved from the start so they know what is being shipped and deployed to avoid any surprises toward the end of the deployment lifecycle.

The second security aspect of software delivery management is where security by design comes into play. This is where engineering teams start opting for security best practices during the initial build process and leveraging techniques like static code analysis.

Software delivery management in the cloud and why security by design is important

The five things that help companies improve their security posture in software delivery management include:

  1. Static code analysis
  2. Dynamic code analysis
  3. Container security management
  4. Vault to manage the secrets, passwords, certs and keys
  5. Visibility into software delivery management

Static code analysis

Why is static code analysis important? The answer is to better understand the vulnerabilities, the quality of the software built, and the security vulnerabilities inside the software - and at a rapid pace. Catching issues early helps remediate them later in the process so that engineering teams avoid deploying buggy code into production.

The desired outcome for any IT leader is to eliminate the known issues and vulnerabilities, etc. at the beginning of the software delivery management process.

Dynamic code analysis

Dynamic code analysis will help you identify the vulnerabilities as part of run-time execution. Dynamic code analysis is a form of black-box vulnerability scanning that enables developers and DevOps team to scan running applications and identify the vulnerabilities. Dynamic code analysis can reduce the mean time to identification for production incidents and increase overall security posture.

Container security management

At the same time, many organizations are shifting from VMs to containers in the cloud. When migrating to container technology, security engineering needs to include container security management scans as part of the software delivery management process.

The security team needs to partner with software engineering and DevOps teams to establish the benchmarks and baseline for the container security vulnerability management and make sure that all container images are scanned on a regular basis and that the scan results are not deviating from the baseline. In addition, incorporating the approval gates in the CI/CD process will help security teams enforce the set policies and automate all the prescribed software delivery management security steps.

This crucial process can eliminate bugs, known vulnerabilities, and ultimately eliminate surprises from each deployment, thereby improving the quality of the software and the security posture.

Vault to manage the secrets, passwords, certs and keys

In the past, engineering teams used to write scripts and embed passwords, keys and certificates to deploy and build software. This approach does not work for cloud deployments and is not a good practice for hard coding sensitive data into the scripts. It exposes sensitive data, which can lead to breaches and makes it cumbersome to manage configurations across multiple scripts and deployments. By automating this process, software delivery management teams can keep these security aspects inside the vault. Decoupling and storing the sensitive data in the vault, will significantly improve the ways to protect sensitive security data (passwords, certs, keys, etc.) and also control how people can access this data via a role-based access model.

As a best practice, all the secrets, passwords, and certificates should be stored in the vault, which then can be cross-referenced against the security measures through each and every step. This helps teams avoid hard code in the passwords, which also protects the code from malicious activity.

Software delivery management can be future-proofed with security by design, and must go hand-in-hand. With security by design, you are enacting a strong security policy from the start and incorporating the proper guidelines and best practices along the way.

Visibility into software delivery management

With current software delivery management platforms, information is distributed across multiple tools and stages across CI/CD pipelines. It is very challenging for companies to bring the information together, normalize the data and put together a unified view. Lack of visibility and unified insights into the software delivery management process is going to increase the risk of security posture and will impact productivity and operations significantly.

Better visibility and predictive capabilities help organizations understand the bottlenecks, delays and security risks, thereby enabling them to make intelligent business and technical decisions. In addition, the DevOps and Engineering teams can proactively address the issues and avoid last-minute surprises with the end-to-end software delivery process.

Summary of security guidelines and best practices

At a minimum, IT organizations should incorporate static code analysis, container vulnerability management, and use vaults to store sensitive configuration data.

Security leaders need to enable engineering teams by making these integrations easier and orchestrating the security policies for automated CI/CD pipelines. In turn, this helps engineering organizations to include guardrails and provides the ability to move the code seamlessly.

The end goal is to improve the security processes through validation and make sure that teams deliver software to the highest quality and security standards. Software engineering teams can make it easy for the CISO to have confidence in knowing vulnerabilities and issues if proper steps are taken to collaborate between security and engineering teams early and often.

Kumar Chivukula, CTO, Opsera

Kumar is the co-founder and CTO of Opsera, helping drive the mission to help companies deliver software fast, safe, and secure via disruptive DevOps solutions.