Integrating Security in Software Development

Jellyfish

Integrating Security in Software Development

In a rapidly changing business environment, speed is the key requirement for software development. In order to respond quickly to business needs and provide software quickly, it is necessary to adopt development methods such as DevOps (close collaboration between Development and Operations teams) and Agile. In the past, DevOps and Agile were thought to be unrelated to embedded engineers engaged in software development in the manufacturing industry, but with the penetration of IoT, they can no longer be ignored.

However, what should be kept in mind is the secure development of software. In recent years, the importance of "DevSecOps," which transparently incorporates security (Sec) in the development process, has been pointed out. However, with the increasing demand for cloud-native software represented by container technology, etc., and the increasing complexity of the code base, it is not easy to implement continuous security for software.

Masato Matsuoka, Senior Product Marketing Manager of the Software Integrity Group at Synopsys Japan, the Japanese subsidiary of Synopsys, said, "Many developers understand the importance of DevSecOps, but the reality is that developers and security professionals do not work closely together.”

In order to achieve DevSecOps, it is important to adopt a "shift-left" approach. Shift-left is a concept that incorporates the security verification process, which used to be done in the back-end process, into the early stage of the development process. This is because solving security issues at an early stage will reduce rework in the later stages of development.In addition to the increasing functionality of products, shift left has become an issue to be strongly considered in the development of embedded software, which is no longer operated as a stand-alone system due to the linkage with the cloud and software update functions through the use of IoT.

Matsuoka points out, "There is a limit to the process of conducting security tests and verifying vulnerabilities just before releasing the software to the production environment, as we have done in the past.” As a result, deployment will be delayed and the entire project will be significantly delayed. This makes it impossible to meet the needs of the business world.

In order to solve these problems, it is necessary to "crush" the vulnerabilities that may be introduced during the software development lifecycle, which includes requirements definition (planning), code, build (design), and testing. In this process, the balance between "automation" and "manual" is important.

The most important tasks such as threat modeling and architectural risk analysis are done by humans,  while areas for which analysis/testing tools are already available, such as static application security testing (SAST), software composition analysis (SCA), dynamic application security testing (DAST), and interactive application security testing (IAST), should be actively automated. Another thing to keep in mind is not to delay the Continuous Integration/Continuous Delivery (CI/CD) pipeline, which is a set of individual steps grouped together to perform continuous integration/continuous delivery. The CI/CD pipeline refers to the individual steps grouped together to perform continuous integration/continuous delivery.

"To prevent delays in the CI/CD pipeline, the security testing and development pipelines should be separated," said Matsuoka.