Chapter 27. Strategies for Adding Security Rituals to an Existing SDLC
Laura Bell Main
From time to time, we stumble upon a new approach, ritual, process, or tool that can potentially improve our software’s cybersecurity and can be embedded into our software development lifecycle (SDLC). Of course, we want to try it.
So how can you successfully implement new processes, tools, or rituals in an existing SDLC? Here are some lessons I have learned over the years that I would like to share.
You Can’t Change What You Don’t Understand
This probably seems obvious, but if you are hoping to influence or change something, it’s a great idea to understand it first. If you aren’t actively part of the software team or using these processes day to day, now is the time to learn.
You can start understanding the following:
-
What tools and processes are currently in this SDLC?
-
Who runs them? How much time does it take?
-
What is an acceptable completion time for each phase? This is especially important for tools embedded into deployment pipelines.
-
What is currently working well?
-
What is hurting the team, and what would they change if they could?
This process is valuable, not only for you as you prepare to weave cybersecurity through it, but also for your relationships with your engineering teams. Security is about collaboration, which starts with understanding and empathy.
Start with ...
Get 97 Things Every Application Security Professional Should Know now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
