Application development and procurement that does not include a rigorous security review in the critical path process is fundamentally broken; exposes organizations to predictable, unnecessary, and avoidable cybersecurity risk; and misaligns the organization with every cybersecurity framework, regulation, or standard. The development of software without security as a key objective, constraint, and requirement should be prohibited by the policy of every organization, regardless of size, location, or industry sector. Applications should never move from the development environment to the production environment unless competent and certified security staff has put them through a security review. A best practice is that the security team has “veto” authority over final production release.
All too often applications are built by developers who are neither security-trained nor security-capable. Developers sometimes build software that may have the features, functionality, and performance demanded by users, or may be “fit for purpose,” but that may not include effective security features. All too often organizations’ procurement departments release requests for proposals and tenders that include minimal or no cybersecurity requirements for purchased applications or software packages. Ironically, it is at the ideation and conceptualization stage of internally developed software, or at the RFP development stage for externally procured software, that security is most cost-effectively designed into software. Retrofitting security after the fact can break applications, cost more, and cause organizations to miss release deadlines. Installing a software development lifecycle that elevates security to a critical path activity in software development and acquisition is an instrumental element of the organization’s cybersecurity policy and process management.
Ankura’s security experts review application security and help clients conceptualize, implement, and validate that newly developed or acquired applications never move into the production environment until security sign-off. We assist our clients with: