Secure-by-design software development for digital innovation

Software development is one of the critical cornerstones of digital innovation in Australia. While there are national standards for cybersecurity, the same requirements do not always apply to developing secure software.

Now is the time for organisations to secure against potential system failures. Businesses need to adopt secure-by-design principles and high-quality software development standards. The rise of DevSecOps methodologies and developments in AI offers every business the opportunity to create and maintain a new gold standard.

Below are four reasons why now is the time to establish strong security standards in software development.

1. Aligning with the new national cybersecurity strategy

The new national cybersecurity strategy indicates a willingness by the government to work with the private sector to shape the development and adoption of international software security standards, including secure-by-design and secure-by-default practices.

A secure-by-design methodology starts with the developer and incorporates security across the software development lifecycle. This helps organisations create products with built-in security from the point of code creation and avoids putting the burden and liability of security on end users.

For example, Constantinople, a financial services startup delivering managed digital banking services to financial institutions, has treated security as a top priority, building it into every aspect of its software lifecycle. For it, using automated compliance capabilities within a DevSecOps platform has become a key differentiator, allowing Constantinople to meet compliance requirements by making the process simple, reliable and repeatable.

2. Strengthening the software supply chain

Recent research has shown that three-quarters of Australian companies need help addressing supply chain risks. Business leaders cite a need for more awareness and understanding, apathy, limited data, unstructured planning and the assumption that others are responsible for managing these risks. Without a secure supply chain, no software is truly secure.

There are five main aspects to consider when providing a secure end-to-end software supply chain:

• Source: Controls to ensure source code is safe from vulnerabilities and has not been compromised.
• Build: Rigorous requirements for the security and isolation of build environments.
• Consumption: The ability to validate the authenticity and source of any executed binaries.
• Management process: Visibility into compliance with software supply chain security (SSCS) requirements.
• Tool security: Adopting best practices for managing the security of the underlying tools themselves.
   

DevSecOps practices unify development, security and operations, helping eliminate supply chain risk by allowing standardisation and synchronisation across workflows. They also authenticate, authorise and continuously validate all human and machine identities operating in an organisation’s environment.

3. Preparing for challenging economic conditions

Rising business costs are further pressing leaders to consolidate their technology resources. Consolidation saves precious financial resources by avoiding unnecessary licensing costs, subscription fees and maintenance expenses.

For developers, managing a single platform instead of multiple tools makes it easier to create trustworthy software. Increased visibility into productivity can help organisations identify bottlenecks and free up developers to focus on creating the most secure software possible.

For example, Australian property giant Lendlease has eliminated a complicated toolchain with an end-to-end platform to empower collaboration, increase visibility and make everyone responsible for security. The team benefits from seeing what’s happening with a project from start to finish, enabling managers to act as mentors and teachers, guiding DevOps workers and helping them learn new ways to do their jobs.

4. Streamlining software development with AI

Generative AI is already making streamlined software development processes more readily available to Australian businesses. While organisations can expect significant productivity and collaboration benefits from applying AI across the software development lifecycle, the transformational opportunity with AI goes way beyond creating code.

To realise AI’s full potential, developers must embed it across the software development lifecycle. This would allow everyone involved in delivering secure software, not just developers, to benefit from the efficiency boost.

In addition to the government’s call, the benefits of implementing these practices are compelling: better security, simplified compliance and stronger utilisation of precious resources. Now is the time for organisations to act and ensure their software development processes are up to standard.

*Craig Nielsen is Vice President, Asia Pacific & Japan, GitLab, overseeing the team to help organisations in the region to build better software, faster, more securely and accelerate their digital transformation. His extensive experience in technology includes leading market expansion and growth at McAfee, Red Hat, SumTotal and Microsoft.

Image credit: iStock.com/peshkov