1.1 Introduction
What we didnât realize while we were drafting Core Software Security: Security at the Source* was that we were on the cusp of a confluence of a host of software development shifts. At the time, what we dealt with seemed, perhaps, to be disparate threads. But these were, in fact, highly interdependent and interacting strands that would transform software development. It is in the face of this that weâve decided to write another software security book.
We understand that there exist a multitude of software security books. In fact, there are many very good ones. Including our own more recent publications, there are books devoted to each and every aspect of secure developmentâfrom designing secure software through the testing of it. There are books about the management of software security programs, to be sure. But none of these bring these pieces together into that necessary synthesis that deals with software practices of today and, at the same time, represents a dynamic union of technical, cultural, organizational, and managerial skills.
Trust us, software security requires all of its aspects to be individually successful; however, the aspects arenât independent, but rather are highly interdependent and interactive. Software security is a collection of intersecting, mutually supportive activities, while it also requires cultural change, process, and organizational muscle to succeed in todayâs heterogeneous environments.
Besides, weâve learned a lot in the intervening years about how to build continuous software security programs based upon and natively integrating with Agile methods. This includes the way that these programs are managed, as well as how to build a security development lifecycle (SDL) that doesnât interfere with how people are actually creating and then fielding software. Our aim is for security to be foundational to software creation, as well as for security practices (the SDL) to be a part of the warp and weft of software development.
As Brookâs Developer-centric Security Manifesto states:
⢠Enable development teams to be creative and to innovate
⢠Ensure that developers have as much specificity as required to âdeliver security correctlyâ
____________
* Ransome, J. and Misra, A. (2014). Core Software Security: Security at the Source. Boca Raton (FL): CRC Press/Taylor & Francis Group.
⢠Build tools for developers to check for correctness
⢠Deeply participate such that security earns its ârightful placeâ
⢠âProve the valueâ of security processes and tools*
The authors are hardly alone among security practitioners focused on working with and empowering development versus imposing security on top of it. At the time of this writing, in talking with our peers, we believe that we still belong to a minority. Enabling development to take charge of security through the support and specialized knowledge of security folks unfortunately remains an emergent practice, rather than the norm.
Many of the tectonic shifts that weâve seen in the years since writing Core Software Security were already underway. However, none of these shifts had profoundly changed the way that much of software was built. Although some development teams might adopt Agile software practices in order to improve their process, few large organizations were in the process of adopting Agile as an organization-wide standard. It is true that smaller organizations, especially startups, might be fully Agile; however, much of this was seen in the software development world as âboutique.â
Continuous integration and continuous delivery (CI/CD) and DevOps were approaches that some cloud native teams were discovering while other teams, focused on other types of targets, were looking on in amazement and wonder at the boost in productivity these enabled. But it wasnât obvious then how these technologies and approaches might be applied in other contexts and toward other software targets.
As Agile became more and more prevalent, or was just in the process of organization-wide adoption, software security practitioners began to take notice. Indeed, during the drafting of Core Software Security, two of the authors were engaged in an organizational shift to Agile Scrum. It should be no surprise that Agile and iterative development, in general, deserved some focus in the book. In hindsight, we now believe that the software security program that James and Brook were leading at the time produced one of the industryâs first fully Agile SDLs.
Still, much of the software security industry continued building SDLs aligned with Waterfall development methods. The prevalent published SDLs at the time were all linear, conceived in phases, assuming first idea, then requirements, then coding, and followed by testing and other verification, which, if passed, signaled willingness to release. These âphasesâ follow each other in an orderly fashion, the next not starting until the first has been completed fully. (As we shall see, this tendency towards linearity that does not match how software is actually built continues to plague software security practice.) But thatâs not how software is built today.
All of the software development practices that we now think of as ânormalâ and âtypicalâ were emerging when Core Software Security was published. At that time, many of these were considered by large organizations as âonly for special circumstances or small efforts.â Today, we only find Waterfall development confined to particular contexts to which it is well suited: where coding and compilation are expensive and where design misses can be catastrophic (e.g., firmware). Some form of Agile, whether Scrum or another iterative method, has become widespread in organizations large and small, new and old. CI/CD and DevOps methods are also in wide use, even in organizations or contexts that have little to do with cloud development (where these approaches got started). DevOps is a worldwide movement.
Public cloud use is normal for at least some types of applications and data. Although some organizations do maintain private clouds for particular needs, such as compliance or control, those same organizations also use public clouds. Public cloud use is not at all unusual any longer, but rather expected. Long since, most security practitioners have stopped worrying about whether âdata are safe in the cloud,â and, rather, focus on what data are in the cloud and how will they be secured. Thatâs because just about everybodyâs data are in a cloud, probably many clouds. Itâs no longer a matter of âifâ or âwhetherâ but rather âwhereâ and âhow to secure.â
____________
* First published at http://brookschoenfield.com/?page_id=256; republished in Schoenfield, B. (2019). Secrets of a Cyber Security Architect. Boca Raton (FL): Auerbach Publications/Taylor & Francis Group, p. 177.
Software development has been seeking its new ânormalâ for some time. We believe that security must meet and enable that ânormalâ if we are to stop the seemingly never-ending release of software issues that plague our digital lives. Each of the authors has field-tested the advice and techniques laid out hereâboth together and individually. We have seen fairly significant improvements unfold through our efforts. Still, taken as a whole, the software industry continues to stumble through issue after issue, allowing compromise after compromise. We know that we can do better. The transformation wonât be easy; it will take concerted effort, focused on that which developers can and will do, coupled with significant organizational support, including security and a somewhat shifted security mindset.
1.2 Current Events
Over the last 10 years or so,* there has been a profound and revolutionary shift in the way that software is produced, employed, and maintained: This paradigm shift has come to be known as âDevOpsââthat is, âdevelopment plus (and through) operationsâ united into as seamless and holistic a practice as can be fostered by those involved.
At the same time, a platform for running code and storing data has maturedâthat is, âthe cloudâ: public, private, and hybrid. Code still runs on a personâs device, be that a phone, a tablet, a laptop, or desktop computer (all of which are still sold and used). But, increasingly, many of the functions that used to stand alone on a device are in some way, and typically, many ways, tied to services and functionality that runs within a cloud, quite often, a public, commercial cloud offering. There are many compelling reasons to structure (architect) functionality in this way, among them_
⢠On-demand server workloads (expansion and contraction of compute resources based upon need)
⢠Ease of operating, maintaining, and updating cloud software
⢠Maturity of cloud services (allowing operators to delegate some portion of maintenance duties to the cloud provider, including maintenance for security)
⢠Availability and stability
⢠Global distribution
⢠Continuity requirements
⢠High resource computation needs (e.g., artificial intelligence and machine learning)
⢠Larger data sets and their manipulation
⢠Minimizing compute resources needed from devices (often using battery power)
There are computer tasks that are handled much better in a cloud than on a constrained device. The nearly âalways connectedâ state of most devices fosters an architecture that can take advantage of the characteristics of each environment while, at the same time, enabling sufficient inter-environment communications to make cloud service integration seem nearly seamless.
In short, the paradigms for producing and operating software, as well as the way that functionality is architected, have been through fairly profound sea changes such that if security is going to be built and then run effectively, security techniques, tools, and operations must match, and, in fact, integrate easily, fully, and relatively painlessly with the ways that software is currently built and run (and on into the foreseeable future, if current trends continue).
____________
* Patrick Debois is credited with coining the term âDevOpsâ in 2009 for a conference, DevOpsDays. Kim, G., Humble, J., Debois, P., and Willis, J. (2016). The DevOps Handbook. Portland (OR): IT Revo...