Askhat - stock.adobe.com
It's more important than ever to embed security into the software development lifecycle, especially with the ever-growing threat landscape and its increasing volume of breaches and compromises. Security by design can help facilitate the process.
Why security by design is important
Security is often seen as a production inhibitor and cost creator, preventing developers from meeting deadlines and causing them to overspend budgets. The purpose of building security into the SDLC is twofold. It creates an integrated and continuous security workflow throughout the SDLC, while, at the same time, reducing user and adoption friction.
Security by design also helps organizations address the following:
- Organizational challenges. Due to the cybersecurity talent shortage and employee churn, security teams often don't have enough manpower or time to continually check development and testing teams' security postures.
- Fast-changing regulatory environments. Governments and local authorities have enacted data security regulations -- for example, GDPR -- with stiff fines for noncompliance. Legal teams typically notify development teams about regulations that apply to them. Development teams are then responsible for integrating those regulations. This can often lead to friction and misinterpretation.
- Continuous delivery/continuous integration (CI/CD). CI/CD principles are commonplace in most organizations. With the advent of the cloud, anything as a service and API integrations, production velocity has skyrocketed. The security team's ability to keep up with development, while not creating bottlenecks, is challenging, and it creates roadblocks and friction.
Top security-by-design frameworks
Adopting a security-by design framework is key to providing a strong and scalable approach to building security controls into every stage of the SDLC. The following are the top security-by-design frameworks.
NIST SP 800-160
NIST published Special Publication 800-160 to provide a guideline for building trustworthy and secure systems. The document helps businesses rethink their investment in the requirements, architecture, design and development of systems, components, applications and networks.
This is not a blueprint for implementation, but rather, as the introduction states, "a catalog or handbook for achieving the identified security outcomes of a systems engineering perspective on system life cycle processes -- leaving it to the experience and expertise of the engineering organization to determine what is correct for its purpose."
The contextualization and adaptation to an organization's security risk tolerance, expertise and budget are the onus of the security team.
AWS Security by Design framework
While the AWS Security by Design framework is focused on AWS workloads, its principles can be applied to any cloud or noncloud workload, regardless of platform.
The framework includes four main steps:
- Understand the requirements of the organization, outline its policies and map them against the controls available in the environment.
- Build a secure environment that fits the organization's requirements. Implement the environment using available and new capabilities.
- Enforce the use of templates -- files that declare security rules and resources used -- to ensure security is adhered to across all environments.
- Perform periodic validations to ensure adherence to security rules and prepare for audit activities.
Sherwood Applied Business Security Architecture, or SABSA, is a business-driven enterprise security architecture framework. It approaches security in layers. As such, SABSA consists of six architectural layers:
- contextual security architecture
- conceptual security architecture
- logical security architecture
- physical security architecture
- component security architecture
- security service management architecture
Control Objectives for Information and Related Technologies, or COBIT, is a framework from ISACA. It has five primary principles that tie business support, alignment and process optimization together:
- meeting stakeholder needs
- covering the enterprise end to end
- applying a single integrated framework
- enabling a holistic approach
- separating governance from management
5 components of a security-by-design framework
The underlying components to achieve and maintain security by design are consistent across frameworks. These include the following:
- Define business goals, timelines and priorities.
- Enumerate business attributes for the above goals. These may include, for example, customer privacy, data accuracy, customer data ownership and customer satisfaction.
- Identify risks that could affect those attributes. For example, ransomware could affect privacy, or data corruption could affect accuracy and downtime.
- Use security controls and risk mitigation. For example, encrypt data, have cyber insurance, conduct availability testing and so on.
- Integrate programs and processes to continuously evaluate and update the framework. For example, conduct data footprint assessments, follow encryption and key management best practices, assess data hygiene periodically, perform third-party onboarding and assess impact to the risk framework.