Toggle Menu

Insights / Security / The Top Three Technical Capabilities You Need To Build And Maintain More Secure Systems

August 07, 2023

The Top Three Technical Capabilities You Need To Build And Maintain More Secure Systems

4 mins read

Jump to section

Written by

Jeff Gallimore

Chief Technology and Innovation Officer

More and more organizations are tackling the imperative to improve the security of their systems. Culture, people, policy, process and technology all need to work together to handle the ever-evolving landscape of threats to the systems that support those organizations and their customers. Investing in certain technical capabilities can help organizations build more secure systems and improve their ability to respond to the constant stream of security vulnerabilities in the software they create and use.

Here are three technical capabilities you should have if you want to build and maintain more secure systems.

1. You can quickly detect vulnerabilities in the code you create.

Your teams are creating code to build and maintain your systems. What are you doing to ensure the code they’re creating is secure?

One line of defense is performing security reviews of code and configuration changes in a pull request-based workflow. Team members involved in the work review a change soon after it’s made to verify the use of secure coding practices. An important point with these reviews is that they’re done within the team and quickly after the change—not sent outside the team with a long wait time for results.

Another line of defense is performing full automated security testing (FAST), which includes static code analysis, dynamic code analysis and vulnerability scanning. These practices provide quick and consistent signals that you haven’t inadvertently introduced any vulnerabilities into your systems with changes you’ve made to the code or the configuration. Ideally, these automated checks run after each change committed to the source code repository and provide feedback in minutes that everything is all good or that there’s a risk to address.

A good metric here is “lead time”: How long does it take from the time code is committed into version control until you get a signal back about potential vulnerabilities? Does that happen in minutes? Days? Weeks? Longer? The sooner, the better.

2. You can quickly detect vulnerabilities in the code you consume.

Many of our systems today consist mostly of third-party libraries, components and services we consume rather than the code we create. Some studies put the percentage as high as 76% for code in codebases being open source. How you manage your software supply chain becomes increasingly important the more external code you bring into your environment because those dependencies are a significant source of security risk. Just ask anyone involved in remediating the Log4shell vulnerability discovered in December 2021.

Effective software supply chain management includes knowing what code you’re consuming from outside your environment, where you’re using that code within your environment and what vulnerabilities are associated with that code. And because the industry is discovering new vulnerabilities all the time, we need to scan continuously—we can’t just scan once and call it good. The hot topic of discussion related to this is the software bill of materials (SBOM)—but that’s another article (or seven) in itself.

A good metric here is “mean time to remediate” (MTTR): How long does it take from the time a vulnerability is identified until it’s remediated? High-performing technology teams can often do this in hours or days.

3. You can make changes to your systems quickly and safely.

It’s one thing to know what changes you need to make to your systems to improve security and another thing entirely to make those changes—especially quickly and safely. Imagine you discover a new vulnerability in a third-party component you’re using, you’ve identified where you’re using that component and there’s a new version available with a fix. How long would it take you to push out the new version to the places it’s needed?

The foundation for the ability to make changes to your systems quickly and safely is a robust continuous integration/continuous delivery (CI/CD) pipeline. The CI/CD pipeline includes the automation needed to build, test and deploy the system with its code, configuration, components and infrastructure. Because the CI/CD pipeline performs these tasks using automation rather than manual effort, it helps everything run consistently, quickly and efficiently.

A good metric here is “lead time for changes”: How long does it take from the time a change is made to when that change is running in production? If you have a robust CI/CD pipeline, it might only take minutes or hours.

Here’s a couple of final thoughts:

First, you might be wondering where to start or what to invest in. You likely have many good and reasonable choices. Implementing more automated testing or SBOMs? Enhancing your CI/CD pipeline? Improving your peer reviews? A little of everything? Instead of trying to make the “right” decision out of the gate, it’s more important to start your journey to “better” and adjust along the way. So, don’t delay getting value from improvement and just start somewhere.

Second, we don’t know where or when the next security vulnerability affecting our systems will emerge. But if the last few years have taught us anything, we do know more security vulnerabilities are coming—and likely at an increasing pace. Investing in these technical capabilities will help prepare us for when they do emerge and enable us to respond quickly, effectively and safely to protect our systems and those who depend on them.

 

First published on Forbes.com.

Jeff Gallimore

Chief Technology and Innovation Officer

Jeff is the CTIO and Co-founder at Excella. He currently leads the team building the firm’s capabilities, leading its innovation activities, and managing its go-to-market offerings. Jeff is also an agilist at heart, always looking for opportunities to learn and improve for himself and to help the people and organizations with whom he works. He’s also active in the DevOps community as a writer, speaker, co-chair of DevOpsDays DC, and advisor to IT Revolution. Regardless of the role, Jeff keeps a passion for technology and how it can be used to help organizations win in the marketplace and help people find joy in their work. 

Follow Jeff on LinkedIn

You Might Also Like

Security

Software Lifecycle Development: Day 0 vs. Day 2 DevSecOps

Improving the software development lifecycle has benefits both internally and externally, particularly when security is...

Security

3 Tips to Evolve your DevOps Practice to a DevSecOps Culture

About 15 years ago, a movement to foster greater collaboration between developers and operations began....

Security

3 Ways to Keep Security at the Center of Agile Development

Agile software development has many benefits, including the opportunity for developers to iterate and be...