Dialogue Series

How Security Engineers and App Developers Can Create An Effective Security Process

by

Cloud native application development continues to grow in popularity amongst the developer community, as cloud native architectures enable organizations to deliver business value faster than ever. This new method in which applications are developed provides the freedom to innovate more rapidly and at a larger scale, but organizations also need to consider how to evolve their security processes to match.

One such organization is Zopa, the world’s first peer-to-peer lending company designed to connect potential investors with individuals seeking loans. As of 2020, Zopa is a fully-licensed bank offering an extensive suite of online services – like credit cards and fixed-term savings backed by FSCS protection – to help customers take control of their finances.

With over half a million people borrowing, saving, and investing money with Zopa across the UK, the focus on cloud native security has never been more relevant. In this episode of the DevSecTalks series, I sat down with the host, Ashley Ward, to discuss the importance of understanding security processes and tips for protecting an organization from cybersecurity vulnerabilities. In this blog post, I’ll outline the key takeaways from our episode, including how your organization can successfully partner security teams with developers to embed security into every stage of the software development lifecycle.

Security’s Involvement in the Application Development Lifecycle

First, I want to touch on just how involved my security team is in the development process to help you understand how early a partnership with developers can begin.

At application conception, my team works with developers to answer a few questions, such as “What type of data will the application handle, and will it be public or not?” This allows us to assess risks from the start and provide tips to developers before coding occurs. Then, once the application is in a more mature state, we test it to look for vulnerabilities. If everything looks okay, the application can proceed. Finally, we always continuously monitor the applications in production to check if any new vulnerabilities arise.

Now that I’ve given a high-level picture of my security team’s partnership with developers, I would like to further explain the steps we take to create a security process that benefits both teams.

5 Steps to Enable DevSecOps

  1. Define Your Goal
    As with any process creation, it is imperative that you define its purpose. Maybe you are looking to reduce moderate-to-critical vulnerabilities – or maybe you are assessing the risk of just the third-party images used in your applications. The purpose of your security processes will differ based on your end goal, so it’s important to set a clear goal for each process you put into place.

  2. Create and Define Vulnerability Thresholds
    Decide what your pipeline will block – will you block every vulnerability from moving forward to production, or just critical ones?

  3. Specify SLAs and Define the Application Owners
    When vulnerabilities arise, whether during development or in production, it’s important to define the timeline for fixing those vulnerabilities. To do so, identifying who owns each application can help reduce the time needed to deploy a patch and move forward. This episode explores the ways you can identify the application owners, automate notifying them of vulnerabilities, and partner with them to resolve the vulnerabilities in a no-hassle (and even gamified) way.

    This leads me to my next point, because unfortunately there will not always be a fix for every application vulnerability.

  4. Build Exceptions into the Process
    Create rules for how to handle the vulnerabilities that cannot be fixed. For example, a lot of third-party images contain dependencies that don’t yet have solutions. Be sure your team has a clear idea of how you want to approach situations when there is no security fix.

  5. Provide Visibility to the Rest of the Organization
    Understanding and communicating the health of your organization’s security and how it evolves allows you to see what areas still need to be addressed. At Zopa, for example, we create dashboards and define metrics to show how application security is improving over time.

Implementing Your New Security Process

While creating a process to embed security into every stage of the application development lifecycle will dramatically improve your organization’s security posture, we must not forget how important it is to create and implement that process in a collaborative, communicative way.

If there’s one main takeaway to remember from this article and my chat with Ashley, it’s that once you create your policies and requirements, security should work with developers to roll them out and test what is working for the team and what needs to go back to the drawing board. Once the security process is documented, it helps to take it one step further by creating a rollout plan with defined deadlines and being communicative with developers so that security and development are working together.

Get More Detail in My Episode of DevSecTalks

I hope this article has provided you with valuable information on how to embed security into the application development lifecycle. Based on my work at Zopa, I can attest to the fact that security and developers can collaborate in a mutually-beneficial manner. For example, in this episode of DevSecTalks I’ll take a closer look at why containers aren’t just great for developers, but why I love them from a security standpoint, too.

I encourage you to watch the full episode of my chat with Ashley, and explore the DevSecTalks website for more content around how you can enable DevSecOps for your organization.

Secure Your Finances With Zopa

With 16 years of lending experience, over half a million customers across the UK, and countless financial improvements, security is an essential part of doing things the ‘Zopa-way’ to help many more customers reach their financial goals.

Zopa is on a mission to create simple, fair, and honest financial products that have the customer’s needs at heart. Be sure to visit their website for more information about the company, loan and investment services, and career opportunities.

About the Author

At the time of recording this episode, Andre Morais was the Senior Application Security Engineer at Zopa. Recently, Andre moved to Savanti as a Senior Security Consultant. He attributes his passion for shift-left security, infrastructure as code, and more to his own background as a developer to help foster the connection and collaboration between DevOps and Security.