Making security an essential part of your IT operations requires a disciplined approach to the development process, and that begins with teaching developers security awareness. Developers need to understand security from their own point of view, so they can see and integrate security into the complete software-development life cycle.
They need to bring security awareness to the table when they are gathering project requirements, when they are planning their design,when they are building code and doing verification testing, and whenthey are deploying. This includes understanding the security scanning and checks that that are integrated into the pipeline as part of the development process, and making sure those things are done. The ultimate goal is to be in front of the security challenge rather than always having to play catch-up and repair vulnerabilities after deployment.
Tools built into the pipeline play an important part in enforcing security checks. How you use them becomes part of your change control management process and how you force checks and security sign-offs. Other security tools that monitor activity in the environment also help determine what is most critical.
But education and culture within the organization are important too. For instance, if you determine you need to make an investment equal to 10% of your entire security budget to address a serious vulnerability in your operation, senior management needs to understand why, and they need to have a clear idea of the negative impact of not addressing that vulnerability.
Comments