“If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology.” – Bruce Schneier
Most of the Organizations still continue to have a reactive approach towards information security. In my earlier blog post 7 Reasons No Company Can Afford To Ignore Security, I had shared why Organization’s can no longer afford to ignore security and in 6 Steps Strategizing Security In An Organization shared on how to strategize security in 6 steps. Its important for organizations to have a proactive security strategy and have a shift left practice in software development lifecycle (SDLC) to focus on security right from the initiation state of a project. Integrating security in the SDLC helps in the accountability and increased communication with all stakeholders involved in the process to ensure the project is incorporating security policies while following the security guidelines.
Why shift left security in the SDLC?
In the traditional SDLC, security strategy is always reactive in which the security testing is done at the end of development phase. If any security issues are found then, it becomes expensive to resolve and more often than not, due to time or financial constraints, quick patches are done or short term mitigations are put in place before releasing the software into production. More often than not, short term mitigations or patches result in costly expenses for maintaining security as the cost of operations are high. According to the study done by Cigital, cost of finding issues early during SDLC development phase results in upwards of 1165% savings when compared to finding issues during maintenance phase of SDLC.
Strategizing on shifting left security in the SDLC
Below is how we can strategize security by shifting it left in the SDLC. Incorporating security in each phase of SDLC helps an organization be more proactive in implementing a highly secured software. Moreover, overall costs are reduced as the security issues are found early in the development lifecycle. Security governance model established in the initiation phase helps define the security gates, policies, roles & responsibilities, timing of review, sign off process, etc. in each phase which governs security throughout the SDLC. Note that the Security Training is a continuous process throughout the SDLC so that the teams are constantly aware of security policies, protocols, tools, etc.
By shifting security left in the Software Development Lifecycle (SDLC), it helps in building more secured software and addresses the security compliance requirements while reducing overall cost.
I will be sharing more inputs on Information Security including how to align Secured Software Development Lifecycle (SDLC) using Agile or Waterfall methodology and how security can be trained, initiated, planned, analyzed, designed, implemented and maintained. Meanwhile let us know if you have any questions or comments. For any questions, please reach out to me at firstname.lastname@example.org.