The connected world of HR technology is exploding, and more and more companies are trusting employee and company information in the hands of cloud software companies. The problem? Complex, public-facing cloud systems are hard to secure. That's just a fact. So, what can providers do about it?
The answer is simple: Detect and minimize security risks and threats in your product before they are released. But to do that, you need a well-defined strategic framework—a Security Development Lifecycle (SDL)—to guide product development and help ensure that security is baked in by various teams. This is a cross-functional effort with the Product, Development, QA, Security and Release teams acting together for the common good.
The SDL concept is not new, but growing pressure on software developers to adopt a formal framework is—especially when it comes to protecting critical and private employee information. Recent high-profile data breaches involving major retailers, financial institutions and government agencies have customers asking vendors more questions about security. They want assurance that developers are doing all they can to reduce risk and make safer products.
Instilling greater confidence in your customers is an important reason to adopt an SDL process, of course, but there are other benefits. Reducing the need for firefighting is a primary one. Think of the resources you need to deploy to respond to a security incident after your product has been released—the time and cost involved can be significant.
In fact, as Microsoft notes on its website about the "Benefits of SDL," the National Institute of Standards and Technology estimates that code ï¬xes performed after release can result in 30 times the cost of ï¬xes performed during the design phase. So, the bottom line is that it can be far more cost-effective to ask questions about security and address risks in the earliest stages of product development. Here's what you need to know about creating an SDL at your company.
Tailor the SDL Framework to Your Needs
SDL frameworks provide inspiration and tools for reducing software security risk, but you have to make sure you implement a framework unique to your organization's processes and culture. You will need to tailor your own blend of best practices to create a relevant and effective framework. Technical controls typically require particular customization and tuning based on internal process, technology and capability.
Process-based preventative controls include verifying that project-based security activities occur prior to release, while technical controls include static analysis and dynamic analysis security testing. Technical controls often require a security toolbox including tools like SIEM (Splunk), static source code analysis (Checkmarx), static binary analysis (Fortify), and dynamic analysis security testing (WhiteHat Sentinel, Burp Suite, ZAP). We also build custom scripts and have meaningful manual processes for verifying that new features are free of severe and common kinds of security defects, including SQL injection, command injection, cross-site scripting, and authorization issues.
That's what we’ve done at our company. Cornerstone's SDL framework is actually a hybrid of leading frameworks like the Microsoft SDL and the Building Security in Maturity Model (BSIMM). We've also added a core element that is a reflection of what Cornerstone is—a learning company. Continuous learning is the cornerstone of our SDL, with product security training forming the hub of our SDL "wheel":
Educate Your Team
Our goal is to make learning fun. We believe that education and training is the best proactive security control. For example, we have developed an application security game that is part of the mandatory curriculum for all of our technology personnel. It's multiple choice, but it's tough—and we can chart the progress of every developer as they move through that curriculum.
What we are doing at Cornerstone is advanced for the talent management space. And it's enabling us to confidently answer three vital questions customers ask in security RFPs and audits:
- Do you have a strategic framework for secure product development?
- Have you implemented some level of control that indicates maturity across those practices?
- Do you conduct role-based application security training and measure the results?
We leverage our internal implementation of the Cornerstone LMS to deliver annual training on security policies and guidelines for all employees, and provide focused, role-based application security training for Dev, QA, and the technical personnel responsible for delivering code-shipping products. Additionally, we provide specialized training on SIEM, static analysis, and dynamic analysis security testing tools.
Further, Cornerstone is proud to be a member of Cloud Security Alliance, and frequently hosts monthly gathering in the Los Angeles area at Cornerstone’s Santa Monica headquarters. This educational forum helps keep Cornerstone ahead of the curve when it comes to cloud security.
Proactive Product Security
More importantly, our SDL framework allows us to confirm that we have done everything we could to build security into a product before we release it, answering key questions like:
- Did we specify secure design requirements? Were they met/satisfied/followed?
- Did we conduct secure code review? What did we find?
- Did we perform dynamic security testing? What was the result?
- Did we ensure new features were covered in per-release penetration testing? What was the outcome?
- Is the product security incident response team aware of the new attack surface, and do they know who to contact in the event issues are found?
The whole concept of the SDL is to build proactive controls that reduce risk and the reactive need for firefighting. You developed a more secure product by bringing together all stakeholders at the outset—the product designer, the development lead, the quality assurance team, and others—to ask and answer, "What are we building? What are the risks? And what can we do to prevent them?"
What’s the conclusion? The program and process has to be ongoing since technology changes and employees take on new challenges. Updating the programs frequently is critically important. The process is iterative and meant to support a "Maturity Model" mindset.
Photo: Shutterstock
関連資料
製品やお客様事例、最新の業界のインサイトなどをご紹介しています。
電子書籍
新しい世界に向けた仕事の再構築:2024年のHRトレンド予測
貴社では、昨今の急激なビジネスの変化のスピードにどの程度対応できていますか? 従業員を対象にした調査によると、41%が自分のスキルを伸ばすために必要なものを持っていないと考えており、59%がさらに多くのキャリアガイダンスを求めているという結果が出ています。そこでこれまで以上に重要になるのが、HR担当者が最新のトレンドを把握し、それが従業員や組織にとって何を意味するのかを理解して活用することです。例えばAIはトレンドの1つですが、60%以上の組織では、人財開発プログラムの最適化にAIテクノロジーを活用していません。
ブログ投稿
採用から退職まで、タレントエクスペリエンスプラットフォームは職場をどう活性化するのか
あなたの職場がハイオクエンジンだとしましょう。そして、現在使っているモデルを、市場で最も洗練された高性能なコンポーネントに交換できると想像してみてください。それこそまさに、タレントエクスペリエンスプラットフォーム(TXP)が組織のタレントマネジメントエンジンにもたらすものにほかなりません。
お客様事例
SBCメディカルグループ:急成長の核となる役職者の早期/大量育成に向けスタッフの属性に応じた教育をきめ細かく提供
国内美容クリニックの最大手として、湘南美容クリニックをはじめとする各種クリニックを展開しているSBCメディカルグループ。「2035年に1,200クリニック開院」などの目標を掲げて躍進を続ける同グループで課題となったのが、クリニック数の拡大に不可欠となる看護師などの役職者を早期かつ大量に育成できる研修プラットフォームを整備することでした。同グループはコーナーストーン・ラーニングCSXにより、スタッフの職種や入社年数などの属性に応じて受講する研修をきめ細かく指定可能なオンライン研修プラットフォーム「SBC Passpor(通称:Sぽ〜と)」を構築。全国のクリニックで働く多忙なスタッフが、それぞれの目標に向けて必要な研修を確実に受講できる環境を整えました。