With modern agile development practices, such as DevOps, the time for development has been significantly reduced. So security can no longer be just a step in the process; it needs to be a continuous part of the development lifecycle, says Ayman Sayed of CA Technologies.
Many of the highly publicized recent breaches could have been avoided had the proper security testing been applied earlier in the development cycle, Sayed contends in an interview with Information Security Media Group. The cost of fixing a security defect increases significantly higher if it's found later in the cycle.
"Every business is becoming a software business, and we see the landscape for software development lifecycle evolving," Sayed says. "You will find that just a perimeter-centric approach to security is not enough. Security testing needs to be shifted left, much earlier in the cycle today ... and applied in every iteration as you are writing the software - that's where DevSecOps comes in." (See: Secure Coding: The Rise of SecDevOps)
DevSecOps enables application security testing by the developer, by the tester and all the way into pre-production - whether it is static, dynamic or software composition analysis - in a more automated fashion so that it can be repeated in every integration and iteration, Sayed says (see: Why CISOs Must Make Application Security a Priority).
In the interview (see audio link below photo), Sayed discusses:
- The state of secure software development;
- The need and relevance of DevSecOps;
- Regulatory mandates and compliance around secure coding in 2018.
Sayed is chief product officer at CA Technologies, responsible for the strategy and development of CA's portfolio of enterprise products and solutions. Before joining CA in 2015, Sayed, who has 25 years of experience in the field, served as senior vice president of the network operating systems technology group at Cisco and director of engineering at Plaintree Systems.