More and more organizations are tackling the imperative to improve the security of their systems. Culture, people, policy, process and technology all need to work together to handle the ever-evolving landscape of threats to the systems that support those organizations and their customers. Investing in certain technical capabilities can help organizations build more secure systems and improve their ability to respond to the constant stream of security vulnerabilities in the software they create and use.
Here are three technical capabilities you should have if you want to build and maintain more secure systems.
1. You can quickly detect vulnerabilities in the code you create.
Your teams are creating code to build and maintain your systems. What are you doing to ensure the code they’re creating is secure?
One line of defense is performing security reviews of code and configuration changes in a pull request-based workflow. Team members involved in the work review a change soon after it’s made to verify the use of secure coding practices. An important point with these reviews is that they’re done within the team and quickly after the change—not sent outside the team with a long wait time for results.
Another line of defense is performing full automated security testing (FAST), which includes static code analysis, dynamic code analysis and vulnerability scanning. These practices provide quick and consistent signals that you haven’t inadvertently introduced any vulnerabilities into your systems with changes you’ve made to the code or the configuration. Ideally, these automated checks run after each change committed to the source code repository and provide feedback in minutes that everything is all good or that there’s a risk to address.
A good metric here is “lead time”: How long does it take from the time code is committed into version control until you get a signal back about potential vulnerabilities? Does that happen in minutes? Days? Weeks? Longer? The sooner, the better.
2. You can quickly detect vulnerabilities in the code you consume.
Many of our systems today consist mostly of third-party libraries, components and services we consume rather than the code we create. Some studies put the percentage as high as 76% for code in codebases being open source. How you manage your software supply chain becomes increasingly important the more external code you bring into your environment because those dependencies are a significant source of security risk. Just ask anyone involved in remediating the Log4shell vulnerability discovered in December 2021.
Effective software supply chain management includes knowing what code you’re consuming from outside your environment, where you’re using that code within your environment and what vulnerabilities are associated with that code. And because the industry is discovering new vulnerabilities all the time, we need to scan continuously—we can’t just scan once and call it good. The hot topic of discussion related to this is the software bill of materials (SBOM)—but that’s another article (or seven) in itself.
A good metric here is “mean time to remediate” (MTTR): How long does it take from the time a vulnerability is identified until it’s remediated? High-performing technology teams can often do this in hours or days.
3. You can make changes to your systems quickly and safely.
It’s one thing to know what changes you need to make to your systems to improve security and another thing entirely to make those changes—especially quickly and safely. Imagine you discover a new vulnerability in a third-party component you’re using, you’ve identified where you’re using that component and there’s a new version available with a fix. How long would it take you to push out the new version to the places it’s needed?
The foundation for the ability to make changes to your systems quickly and safely is a robust continuous integration/continuous delivery (CI/CD) pipeline. The CI/CD pipeline includes the automation needed to build, test and deploy the system with its code, configuration, components and infrastructure. Because the CI/CD pipeline performs these tasks using automation rather than manual effort, it helps everything run consistently, quickly and efficiently.
A good metric here is “lead time for changes”: How long does it take from the time a change is made to when that change is running in production? If you have a robust CI/CD pipeline, it might only take minutes or hours.
Here’s a couple of final thoughts:
First, you might be wondering where to start or what to invest in. You likely have many good and reasonable choices. Implementing more automated testing or SBOMs? Enhancing your CI/CD pipeline? Improving your peer reviews? A little of everything? Instead of trying to make the “right” decision out of the gate, it’s more important to start your journey to “better” and adjust along the way. So, don’t delay getting value from improvement and just start somewhere.
Second, we don’t know where or when the next security vulnerability affecting our systems will emerge. But if the last few years have taught us anything, we do know more security vulnerabilities are coming—and likely at an increasing pace. Investing in these technical capabilities will help prepare us for when they do emerge and enable us to respond quickly, effectively and safely to protect our systems and those who depend on them.
First published on Forbes.com.