The Move Toward Continuous Testing
The traditional waterfall software development model includes at least five steps toward release. It starts with the requirements phase which asks: what is progresses to design, which includes thinking about individual components, how to break them up, and how to employ teams effectively to deliver these goals. Next, is the implementation phase, where software is built and lines are coded. This is followed by the verification phase, where testing double checks the work. Originally, that meant you verify that the software meets the original requirements; lately, it also means that organizations verify the software is secure. Lastly is maintenance, where feedback determines whether updates are necessary. In waterfall, each step is completed in order until completion. It is designed to meet time to market needs. There’s at least three problems with the waterfall methodology.
Problems with Waterfall
The first problem is that waterfall is linear, and that’s not the way the world works today. Speed and scale always include complexity, and complexity can’t be supported with linear processes aka waterfall. There needs to be a feedback loop, and with waterfall, there’s little ability to iterate the software once it’s begun the development process.
Second, how do you operate the software? How you build the software will affects how it operates in the real world. So, there needs to be continuous feedback between the developer and the operator. This is how you get DevOps, which is literally a combination of Development and IT Operations.
Third, how are you going to maintain the software? It can’t just exist, there needs to be a feedback loop to the beginning, to the planning phase, which includes security. This is how you get to Agile methodology, which is continuous and iterative, and DevSecOps, which includes security.
Agile, DevOps, and DevSecOps
As mentioned, Agile is a more iterative development model than Waterfall. While there is also an end goal with Agile, the process is re-visited and adjusted along the way. This allows developers to respond to design changes and security feedback as they are coding. And this process keeps repeating until it is done.
DevOps is complementary with Agile. It is designed with the aim of shortening the systems development life cycle. It is designed to provide continuous delivery of high software quality, so that there is no interruption in service. Think of how many times online services like Facebook are updated in the background with minimal disruption to the user. Faster, better software development is one thing. Providing security at scale is another.
DevSecOps, then, is the expansion of DevOps that includes security professionals as well. The idea is for everyone to be looking at the code together, rather than in silos. This will produce the most robust and resilient software with the least amount of time and cost. DevSecOps is not new. It actually started in 1976 with a paper at an IEEE conference at a time when waterfall was the current software development method and agile was not yet widely used. Forty years ago, the world was less dependent on software. Today, the demand for agile, up-to-date software through continuous integration has caused the industry to take a second look at DevSecOps.
How can you make it so security is seen as a value and not as a cost? There’s already an example. Cryptography is a necessary foundation for successful ecommerce. Without it, users wouldn’t feel safe putting their banking and credit card information on the internet. So organizations put SSL and TLS in their applications, their services, and their browsers. It has created an online economy the size of the GDP of Spain. It has given rise to successful organizations such as Amazon. History has proven security isn’t a cost. It’s a value.
Learn more by downloading our Guide To Automated Continuous Security Testing