Following the introduction of the General Data Protection Regulation (GDPR) on data protection and privacy in the European Union in 2018, conversations surrounding privacy and data have become commonplace. Over the past few months, data privacy and protection has been further thrown into the spotlight; contact tracing apps to combat Covid-19 are being developed around the world and the public is increasingly concerned about the security of their data when engaging with this technology. Since collecting data is a vital part of controlling both the spread of the virus and informing critical decisions on easing or reinforcing lockdown protocols, creating secure and robust apps is absolutely key to building the public’s trust.
DevSecOps is the philosophy of integrating security testing into every stage of the software development cycle. At the moment, whilst security is regarded as essential, it is often only brought in during the last stages of software development. Organizations must place security as a top priority, so consumers can trust the apps they are using. After all, consumers will only use the app if they feel confident that their data is secure.
How DevSecOps puts security at the forefront
Software and performance testing are often overlooked when building web or mobile applications. This is a crucial oversight since it is this type of testing that ensures consumer data is protected from any security breaches. Whilst software development’s main focus is on delivery speed and time-to-market, it also plays a crucial role in ensuring apps are secure. Testing software from beginning to end means security is embedded in every stage of software development and verifies that the product or service is robust and resistant to data leaks, hacks and other threats.
DevSecOps is the process whereby security is integrated into each stage of the software design rather than seen as an add-on once the software has already been developed. Key benefits of integrating security into the entire software development cycle include early identification of vulnerabilities in code, as well as more opportunities for quality assurance testing. Placing security at the forefront of software development allows teams to identify bugs and vulnerabilities, and implement steps and processes to manage these problems. It is this shift in focus - from speed and delivery to quality and security - that is essential in creating more secure apps.
Whilst security is often viewed by many as a problem that can only be addressed by highly-skilled and highly-paid consultants who specialize solely in security, basic security checks, such as ensuring that the latest release hasn’t changed the authentication mechanism, can often be solved by individuals without security expertise. However, it is important to acknowledge that some security issues do need to be addressed by experts. For example, security experts are needed when reviewing architectures and carrying out audits. Nevertheless, the majority of key and general security issues can be tested for without the need for specialized skills considering most threat models can be solved using standard static and dynamic analysis tools.
In order for organizations to achieve DevSecOps they must identify what security means to them and their users. For example, data confidentiality is often a key security concern for customers, so organizations need to identify and anticipate the types of vulnerabilities they could face. Consumer-facing apps that collect users’ personal data - name, address and bank card details - are particularly vulnerable to being hacked and leaking confidential information. However, to achieve the all sought after DevSecOps, seamless coordination between all stages of the software development cycle, which includes the planning, software and architectural design, with security being the main focus, is vital if the app is going to be successful. This can be rather difficult to achieve. Multiple teams within an organization, who often have different incentives, need to work together in order to effectively switch their attention to quality and security.
Additionally, continuously testing this software once developed is the next step to identifying security vulnerabilities early on and addressing them quickly. By using non-invasive software, it is possible to test for vulnerabilities without accessing any of the user’s personal information, and not compromising the public’s trust. Integrating and putting security and data privacy at the forefront of software development also makes sure that apps are in line with data privacy regulations, preventing further problems in the future, as experienced by Norway. Although one of the first countries to introduce a contact tracing app, Norway had to suspend its use in June due to the country’s data protection authority raising concerns that the app’s software poses a disproportionate threat to user privacy.
Continuous testing is key in building user trust
The delicate balance between privacy and security is the key to creating successful apps and services that typically require user data. Poor implementation of security standards can put users; data at risk. Mobile devices hold a huge amount of sensitive information, such as contact logs, encryption keys, location data and bank details. Larger concerns include where this data is collected, how long it is stored and whether it is used for any other purpose. There are already examples of what can happen when security is overlooked, with Babylon Health GP app suffering a data breach in June when a user noticed he had been given access to dozens of video recordings of other patients' consultations. Zoom, which boomed in popularity due to remote working during the pandemic, has been accused of having inadequate data privacy and security measures, resulting in being blacklisted by many companies, including Google.
Companies are often in a rush to release new apps, updates and services without properly testing them to guarantee they are secure. However, to accelerate the pace of digital transformation, security must be a fundamental part of software development and considered throughout its entire lifecycle. Security and data privacy is a balancing act and can be difficult to achieve, but by embedding security within all aspects of the software development process to identify vulnerabilities sooner. DevSecOps allows this balance to be met and makes sure user data is protected. Failure to integrate DevSecOps into the development cycle means security will remain an afterthought and security vulnerabilities will only continue to grow.
Antony Edwards, COO, Eggplant