Security for Modern Engineering Information Security & Risk Management



Download 132.18 Kb.
Page2/7
Date31.07.2017
Size132.18 Kb.
#25172
1   2   3   4   5   6   7

2.2Sue Barsamian



Senior Vice President and General Manager, Security Products

Hewlett Packard Enterprise


The rapid growth of the app economy and the increasing pressure to innovate has put the software developer in the driver’s seat in modern IT. Developers are now deeply involved in every part of the software development lifecycle as the boundaries between software and hardware continue to blur and infrastructure moves to the cloud. Developers are now responsible for driving innovation and keeping up with the increasing need for a faster time-to-market. This notion has challenged the traditional development lifecycle, pushing for more agile processes and greater collaboration across development, QA, security, and operations. Securing the software development process has never been easy, but in the midst of such seismic shifts in software development, application security is more challenging than ever.

In this faster-paced new development lifecycle, security organizations must adapt to becoming a natural part of the development process or they risk getting in the way. Even worse, they could be left behind as applications become more complex and more vulnerable than ever. The Microsoft ISRM team has taken a unique and aggressive approach to this challenge by partnering with development organizations to build security into the process while staying true to the discipline of the acclaimed Microsoft Security Development Lifecycle (SDL). By teaming with us in HPE Security Fortify, Microsoft has enabled effective, unobtrusive application security automation at scale that provably secures their applications and saves time and money during development. We are excited to share the experience and lessons learned by bringing together the world’s largest software company and the leading application security solution. Together we have built a world class Application Security program that could provide a model for helping you secure the applications that run your business.


3Introduction 

3.1Setting the scope


Microsoft’s ISRM organization, which is part of Microsoft IT, has a mission to ensure that all of the company's information and services are protected, secured, and available for appropriate use through innovation and a robust risk management framework. Microsoft is committed to building and implementing best-in-class security programs and processes and is constantly working to reduce exposure to cybersecurity risks.

ISRM supports Microsoft’s overall security mission by providing key security services that help to protect Microsoft’s corporate systems, services, data, and users. The service lines through which we deliver these services include risk management, threat and vulnerability management, identity and access management, security and incident management, and security monitoring.

Across Microsoft IT and throughout the company, the ISRM team is continuously evolving the security strategy and taking actions to protect key assets and the data for our organization. One primary focus for the team is to protect line-of-business (LOB) applications for Microsoft IT. ISRM drives the SDL for IT applications.

3.2The SDL is our foundation


The SDL is a foundational framework for Microsoft, and it defines the basis for how we drive security in our software engineering processes. This whitepaper will not delve into the details of a software security assurance process such as the SDL, but instead, this paper will showcase how we approach enhancing the SDL process in response to the rapidly shifting challenges that security organizations face in today’s modern engineering landscape.

For more detailed resources related to the SDL model, including books and websites, see Appendix A.

The SDL defines the standards and best practices for providing security and privacy for new and existing LOB applications currently under development or being planned for development. IT LOB applications are a set of applications that are vital to running an enterprise organization including accounting, legal, finance, human resources, payroll, supply chain management, and resource planning applications, among others.

3.3The challenge of modern engineering


Software engineering teams in the modern world are under tremendous pressure. Continuous customer demand for new capabilities and competitive pressures for differentiation necessitate significantly shorter time-to-market schedules while maintaining the highest quality in software applications. To address this demand, modern engineering teams often adopt agile development methodologies, embrace DevOps (a merging of development and operations), and maintain development infrastructure that support continuous integration/continuous delivery (CI/CD).

3.3.1The modern engineer


Engineers in the modern engineering world must play multiple roles. Everything from gathering customer feedback and requirements, design, coding, testing, deploying to production, and even support, are all under the purview of a modern engineer.

Just as the SDL is agnostic to any specific development methodology, practice, or tool, the concepts in this showcase whitepaper apply to this modern engineering world, broadly speaking. Our goal is to empower modern engineers with a set of tools, guidance, and processes to empower them to write, deliver, and maintain more secure applications and services.


3.3.2The Microsoft IT model


Microsoft IT has been on a journey to adopt a modern engineering model. Because business customers are demanding faster and faster turnaround on solutions and feature requests, gone are the days when a business waited for a quarter or longer for new features, solutions, or bugs fixed in their applications. To respond to this growing need for efficiency and quicker delivery, Microsoft IT has been transitioning to a modern engineering model. This transition includes merging development and operations roles (DevOps) and using agile development principles, practices, and tools to shorten release cycles.

With an agile methodology, Microsoft IT provides the flexibility and speed with which solutions are released in as short a time as operationally feasible. Agile teams are receiving faster customer feedback though an iterative design and feature approach, and mature agile teams often release every day or even multiple times a day. While this is great for business enablement, this poses a huge challenge for security in terms of how to effectively and efficiently drive security and privacy in these CI/CD scenarios. For example, consider a security process that takes two weeks to complete sign off on a release. This model plainly fails when applied to an agile application which may take, for example, a single week to ideate, create, and be ready for release. Additionally, the more traditional security approach – to review every application release – worked well when release cycles spanned months, but this approach is highly inefficient against modern engineering practices where schedules are much more condensed.

Given the ubiquity of customer data and critical data, security and privacy are of utmost importance to consumers. For example, would you feel comfortable using a banking application on your mobile phone if security and privacy aspects were overlooked by the engineers? Security can be friction, but it can’t be completely ignored either.

So, this is our challenge:

How can we make security low friction (efficient) while maintaining its effectiveness in this new world of modern engineering?”

This challenge demands that the security culture and approach are modernized and adapted for shorter release cycles and sprints. Security teams must support decentralized security processes, but they must also drive greater automation and move beyond point-in-time assessment practices. Under these modern engineering challenges, they need to adopt a solution that can scale and that can provide continuous assurance.




Download 132.18 Kb.

Share with your friends:
1   2   3   4   5   6   7




The database is protected by copyright ©ininet.org 2024
send message

    Main page