In 2020’s “security” can no longer be an afterthought. It has to be an encompassing fact of all organizations and all employees have to be a part of it. “Security” earlier only meant physical security, secure coding, hardware security, anti-virus definitions, and more. “Product security” is the new kid on the block. Now, organizations are taking note that products themselves have to be fully secure for a business to develop a good security posture. Here is a brief article that can give you insights about prioritizing product security with DevSecOps.
What is Product security, though?
Software from time immemorial has been boxed only onto laptops and desktops. It was invisible anywhere else. As recently as the last 10 years, though, software has invaded all spaces of our life. We have software installed on numerous products, such as microwave ovens, pacemakers, washing machines, elevators, and more.
With so many products making use of software for efficient, smooth, and better functioning, security becomes an obvious factor to deal with. In this new scary, digitized, and connected world, the security of products can be breached in innumerable ways. Some terrifying examples include pacemakers being modified remotely, washing machines being remotely programmed to perform malicious tasks, and more.
The security of products gains utmost importance in this regard, and the field of “Product Security” is born, and has also created new job roles and responsibilities such as “Chief Product Security Officer”!
Having said so much about Product Security, we come to the final question of how Product security can be achieved. As with other security measures, the security of products cannot be incorporated at the last minute or last stage. It has to be incorporated right from the design stage and continues onto the development stage, delivery, implementation, and Monitoring stage.
Let us now see what is meant by DevSecOps and see how these two important concepts converge.
DevSecOps for product security
DevSecOps, as we all know, is development, security, and operations. It involves integrating “security” at all stages of the software development life cycle rather than at only the end of SDLC. The term “shift left” approach was coined in the DevSecOps domain, which essentially meant that security must be incorporated right from the design stage of an SDLC. The term DevSecOps was initially coined by John Willis and Damon Edwards in 2009.
Seen that DevSecOps emphasizes the fact security should be incorporated right from the initial stages, and a successful product security strategy involves integrating with the DevSecOps team as well. The successful integration can be completed by following the steps:
- Imbibing the security culture across every part of the organization
- Security has to be integrated across the SDLC. This phase involves implementing threat modeling practices, mitigating the vulnerabilities, and automated scanning to ensure a secure product.
- Once the product security has been implemented, it must be regularly monitored to ensure no new vulnerabilities creep in.
We have seen how product security can be enhanced by integrating with DevSecOps practices. Join us as we uncover more topics in the DevSecOps domain!
References:
- https://www.securitymagazine.com/articles/95344-when-product-security-and-cybersecurity-converge-a-csos-perspective-on-how-security-organizations-can-thrive
- https://devops.com/prioritizing-product-security-with-devsecops/
0 Comments