Blog

There is increased pressure on developers to ensure a high level of quality and security in the thousands of lines of code they are writing every day. All in the face of ensuring that developer teams work productively, cost-effectively, and retain freedom for innovation and creativity. The most common solution is to do verification tests at the end of the software development lifecycle (SDLC) process which could result in low quantities of vulnerabilities, but ultimately, may result in more work, more complexity, and this leads to higher costs.

The best and most efficient approach is to create a quality-first mindset in the organisation, together with a security-by-design approach to ensure that quality and security are embedded in all ways of working. This ensures that employees are aware of the importance of a zero-tolerance approach to security, and that process and oversight are established early in the SDLC for earlier identification and remediation of vulnerabilities.

The following steps are a simple guideline to implement a quality-first approach:

1. Create an organisational awareness for the need for proper quality vetting of code and improved diligence in the implementation of quality and security process by ALL team members. This can be implemented through regular training to the whole team and proper documentation of processes and regular reviews by management.

2. Ensure that vulnerability testing is built into the company’s code development process through regular scans (manual or automatic). This is best done frequently, and automatically when the code is committed to the repository. This should be supported through regular team code reviews. Code is scanned with a static analyzer, reviewed manually by team leaders, and vulnerabilities are allocated to teams or team members with the proper follow-up and verification. These reviews also serve to increase awareness of the need for thorough review of code and share information with your team members on the types of vulnerabilities.

3. Regular external quality and security verification of code. This could be done by black-box or white-box testing methods using independent auditors of code. A third party eye can give objective oversight to ensure that internal practices are working correctly.

4. Strengthening of expertise on quality, security and privacy, and proper QA oversight of all processes by hiring security professionals into your organization. Also, ensure the right level of supervision and governance by establishing compliance committees that provide the right level of visibility to the CEO, management team, and the Board.

5. Do not ignore the risks of integration of third party or partner code into your own code. Ensure proper risk assessment through static analysis, vetting, and adequate approvals before the integration of any third-party application into code. This includes the implementation and documentation for third-party vetting, vulnerability testing, sunsetting and all approvals.

In my experience as an executive and a manager of process and operations, it is important to put in place the proper governance, process and systems to ensure quality and security. However, like in all business this often is not enough. Getting it right requires the proper mindset, that starts at the top, and permeates all parts of the organisation. A quality-first mindset that ensures that everyone is working together to safe guard quality and uphold the reputation of the products, the brand and the company.SHARE