The market today is becoming more demanding, competitive pressure is growing. It all leads to an innovation race and aggressive competition for the attention of the customer. The modern economy is going through a stage of digitalization: not only services but also many traditional products are becoming digital.
Traditionally organized companies do not always fit into this format due to the conservatism and bureaucracy of the hierarchical management processes.
One of the best responses to these challenges is the Business Agility approach. It is not enough to bring a product to the market quickly. Today, the product must be of high quality, reliable, and, most importantly safe. Security issues, taking into account the tight deadlines, must be taken care of in the early stages of development.
From Agile software development to Business Agility
We know that today you need to run as fast as possible to just keep your current position in the business. And in order to outrun your competitors, you need to run even faster. At the same time, it is important to be not only fast but also flexible because it is not the strongest who survives but the one who can quickly adapt to market requirements and evolve.
Flexibility is inherent in young companies, but as they develop, the conservatism and bureaucracy inherent in a hierarchical management model reduce the ability to change quickly, slow down the response to new challenges and, accordingly, reduce competitiveness.
Current management models work well in a stable environment, but during the “Periculum in mora,” or more simply – “Danger in delay” management practices require different principles.
Agile has become extremely popular among numerous development teams. It is aimed at de-bureaucratizing development processes, reducing development risks, creating a product in cooperation with a client, and increasing the speed of the product launch.
Having proven its worth, Agile has gone beyond development teams, evolving first into Scaled Agile and then into Business Agility. Business Agility is a new progressive approach to managing the entire company, not just software development.
It incorporates the principles of Lean Management, Agile, and, finally, a customer-oriented approach to management, which allows you to maintain flexibility and adaptability of the business at any stage of company maturity and in a highly uncertain business environment and market volatility. How does this happen?
Companies implementing Business Agility demonstrate:
- Improvements in communication and team collaboration by eliminating disunity.
- Increase in employee engagement and, accordingly, the speed of product launch and return on investment.
- Increase in the motivation of employees by understanding the common goal.
The success of companies such as Amazon, Netflix, Facebook, Apple, Google, Microsoft, and others tells us this method really works.
The 2020 pandemic, which forced businesses to move out of their comfort zone and rethink their organizational procedures, has encouraged many leaders to actively move towards more flexible management practices based on distributed, self-organizing, and cross-functional teams.
Value stream management
The new era involves the quick transition from design activities to the creation of products. It requires building these products based on the value created for the customer. Value streams are understood as the actions, people, flows of data, and materials necessary to deliver customer value.
Adding value in this process is carried out by cross-functional teams that can quickly reorganize, not destroying the traditional hierarchical structure, but creating a second business operating system. This is somewhat similar to the long-promoted matrix approach to the formation of the organizational structure of the company, only without radical changes.
The company retains the traditional hierarchy, but the virtual structure of Value Stream Management is organically imposed on it.
Value streams can be related both to production, namely, creating a product – developing software (Development Value Streams), and operational, providing product delivery (Operational Value Streams) like application marketing.
This allows you to apply a flexible management approach not only to software development but also to all other processes in the company.
There are no uniform practices and methods that could help transform the organizational structure. However, in large digital companies, the SAFe (Scaled Agile Framework) has become the most popular methodology for managing a company in the context of Business Agility and Digital Transformation.
SAFe is used not only by software developers but also by financial organizations, government agencies, and even many manufacturing companies that produce quite tangible products like cars, airplanes, toys, and electronics.
The search for new approaches to management is associated with the need to accelerate the delivery of software. Here, the question arises: is product safety an option that you must pay for separately and consider separately, or is it a production standard inseparable from other requirements for product quality?
Security: option or standard?
The first seat belt was created in the 19th century, but it was not widely adopted due to the inconvenience of its use. Everything changed in the middle of the 20th century, but, oddly enough, not because of the increased risks due to the growth of road traffic.
The impetus was the invention of a modern, dynamic three-point seat belt, which became easy to use. Today, every car is equipped with it, the obligation to use it is established at the legislative level, and we can no longer imagine that it was once otherwise.
The same is happening now in product development. The company’s ability to quickly deliver a new product or new functionality requires continuous iterative development. Traditional approaches to scanning release code for vulnerabilities significantly slow down this process. They are, in fact, the archaic seat belt that existed in cars before the invention of the Volvo engineer.
To ensure Business Agility, it is time to move to new tools and approaches in ensuring the security of software products. It is necessary to move away from checking for vulnerabilities at one or two points to increasing trust in the entire process of creating software products.
Security becomes one of the quality criteria of a software product. In fact, it can be ensured without losing time to market by integrating security controls at all stages of product development.
The nature of success
The commercial success of a new product is critically dependent on three factors: the speed of its time to market, the cost of its production, and the continuous improvement of its quality.
All these factors, in turn, are related to how safe the product is. Security by nature approach avoids the costs associated with delayed software delivery, reworking code, and fixing vulnerabilities. The principle of security by nature means that:
- Security issues are taken into account at all stages.
- The product is developed in an environment that eliminates or minimizes the risk of an error.
- There is continuous testing of the product.
Nowadays, security is often sacrificed for the sake of speed. It happens not because of a lack of understanding of the importance or reluctance of the company to deliver a reliable product.
The reason is the difficulties and delays in the development process associated with security control due to the lack of integration of these processes into the DevOps pipeline. Earlier, this was due to the lack of automated, integrated tools.
The current state of release orchestration tools allows security to fit seamlessly into the development pipeline while leveraging DevOps best practices and value stream management.
DevOps, Shift Left, and Security
DevOps is essentially designed to accelerate development and deployment through automation and collaboration. In fact, these are the very tracks on which the value train is moving. The Business Agility approach is based on the principles of Lean Agile aimed at eliminating unproductive activities, which include rewriting code including due to its vulnerability and insecurity.
The Shift Left approach allows you to ensure code quality, including its security, at the earliest stages of development, starting with the choice of architecture, determining software libraries, and at the planning stage of new functionality, significantly reducing the cost of security issues like vulnerabilities or malware.
DevOps, Release Orchestration, and Shift Left combine into a single approach to integrate automated secure development tools at every stage of the DevOps pipeline. This combination makes it possible to avoid not only delays in time to market but also financial losses associated with refactoring and the elimination of vulnerabilities.
Secure development lifecycle
Usually, when talking about DevOps, we think about continuous integration and continuous deployment (CI/CD). However, I believe it is better to view DevOps as a process of ensuring the entire lifecycle of a product, from idea to decommissioning.
It is this idea that we can see in one of the most well-developed Agile frameworks – SAFe, which is well suited for medium-sized companies, multinational corporations, and even government agencies.
Note that Continuous Security is not a DevOps phase but a fundamental principle, as well as version control and continuous quality. The modern approaches name four phases of DevOps:
- Continuous Exploration (CE), including the study of consumer needs and the definition of the needed functionality.
- Continuous Integration (CI), during which the product is created.
- Continuous Deployment (CD), during which the developed functionality enters the production environment.
- Release on Demand (RD), that is, the release of a product when there is a need for the next release.
Most of the security measures are effective and expedient to apply at the stage of CI. However, it is critical to simulate different threats during the Continuous Exploration phase while designing the architecture.
If threat modeling is done at a later stage, then any changes to the code or architecture will take much more time or will not be possible without deep reworking of the product. And this implies additional spending.
At the Continuous Integration stage, securing an application begins with software composition analysis (SCA) tools – an analysis of the composition of open-source code.
This should be the first step towards security by nature. SCA can be used at any maturity level of secure development processes. At the initial maturity levels, it is used to analyze source code during static testing and to validate all open-source code.
At a higher level of maturity, such tools are provided to each developer, they are integrated into the developer’s IDE, and the open-source component is analyzed the moment it is added to the developer’s local repository.
Of course, in addition to SCA, various other tools and approaches should be used at the Continuous Integration stage, such as Security IDE plugins, Security Code Review, pair programming, static and dynamic code analysis, fuzz testing, code signing, infrastructure monitoring, securing infrastructure and developers’ computers.
But, in my opinion, it is impossible to build adequate security management processes without understanding what the system consists of, that is, without a full-fledged inventory of the source code.
During the Continuous Deployment phase, the need for a penetration test is evident. Penetration testing is one of the few practices that are difficult or almost impossible to fully automate and implement at earlier stages of development.
Nevertheless, even here, it is recommended to include professional penetration testers in the development team to conduct testing already in the Staging environment at the Continuous Integration stage. The use of release orchestration tools will significantly reduce transaction costs when the security quality gate is shifted to this stage.
Release on Demand
At the Release on Demand stage, the security of the finished product is supported by continuous security monitoring using SIEM solutions and data processing by information security teams. At this stage, the security operations center, incident response, continuous threat monitoring, external audit of vulnerabilities is involved.
Security by nature is the foundation for the continued reliability of the product. Today, it is becoming a part of the organization’s development culture, helping to avoid the additional costs associated with delayed software delivery, rewriting code, and fixing vulnerabilities that everyone is afraid of.
This is facilitated, of course, by the requirements of regulators, the growth of cybersecurity incidents, and the need to reduce the cost of release, which, among other things, is the result of timely quality control of the code.
I am sure that code security requirements cannot be considered in isolation from other quality requirements. I believe we can create products of high quality only with a holistic and consistent approach to the reliability and safety of the code. Using DevOps best practices and automation tools, integration of security into the development processes happens seamlessly and effortlessly.