Embedding Security Practices into Digitization Drives

An increasingly competitive environment is forcing companies to innovate faster in order to provide more value to customers and other stakeholders and bring products and services to the market more quickly. They are called to do this by taking advantage of the opportunities afforded by a host of new digital technologies as part of their digital transformation initiatives. This is, in turn, driving cultural changes such as DevOps in these organizations as they reorganize to be more agile. At the same time, technological innovations such as the cloud, micro service architectures, and CI/CD pipelines are being adopted to support the increased pace of development and more easily address scaling requirements.

This revolution presents both risks and opportunities for security leaders. Executive leaders in security can grab these opportunities to re-organize their teams and infuse a security culture into the process of product and business innovation.  Critical to this approach will be the security team’s proactive guidance and ability to provide resources to business units and application teams for digital transformation. 

Moving Forward Securely

Security teams have several options to embrace digital transformation and embed security into digital transformation initiatives. The first steps they can take would be:

  • Modernize their approach to security assessments – Traditional security assessments performed quarterly by network scanners are largely irrelevant in a world where development cycles have accelerated, and infrastructure has become ephemeral. Security teams need to upgrade their approach to security assessments to provide a correlated view of risk that spans business processes, applications, networks, infrastructure, and cloud providers.
  • Provide application teams with security-annotated, cloud-native reference architecture – Application teams in organizations undergoing digital transformation are adopting new architectures and new technologies, and often find themselves in unfamiliar territory. Security teams can support and direct these teams by providing reference architectures addressing the use of cloud servers, cloud services, containers, and microservices with accompanying guidance on patterns for addressing security concerns such as authentication, authorization, encryption, validation, and encoding.
  • Streamline threat modeling practices – Traditional threat modeling techniques quickly become unwieldy in architectures making extensive use of microservices, cloud services, and other modern architectural components. Monolithic threat models are time-consuming to develop and do not properly characterize risks that are relevant to modern architectural models. Security teams can reinvigorate the relevance of threat modeling in modern environments by providing templates for common architectural patterns with ready-made risk mitigation recommendations. 
  • Help development teams build CI/CD pipelines with security baked in – CI/CD pipelines are an integral aspect of the adoption of DevOps and the associated toolsets. Security teams can provide mutual benefit by working with developers to craft pipelines that have security baked in as a fundamental concern. By deconstructing the final running systems and distilling the security requirements for each layer, security representatives can help furnish development teams with the secure building blocks required to deploy resilient systems.

Want to learn more about digital transformation? Click here to check out our whitepaper.

About Dan Cornell

A globally recognized application security expert, Dan Cornell holds over 15 years of experience architecting, developing and securing web-based software systems. As the Chief Technology Officer and a Principal at Denim Group, Ltd., he leads the technology team to help Fortune 500 companies and government organizations integrate security throughout the development process. He is also the original creator of ThreadFix, Denim Group's industry leading application vulnerability management platform.
More Posts by Dan Cornell

Categories: Uncategorized

Leave a Reply

Your email address will not be published. Required fields are marked *