A developer’s introduction to compliance standards like PCI-DSS, HIPAA, and GDPR.
As data breaches increase in frequency and scope, more governmental entities focus on using the stick rather than the carrot to prevent them. Compliance standards and regulations set baseline, minimum security controls that establish basic cyber hygiene. While compliance is not security, software developers need to understand these basic requirements so that they avoid violations. Compliance violations increase data breach costs and lead to fines. Understanding how compliance impacts software development can make it easier to meet requirements .
Compliance standards are sets of rules that an organization is required to follow. To prove that the organization follows the rules, it must have a set of written policies, and it must also create a set of procedures and processes that people must follow as they carry out the policies.
In security, compliance requirements can come from both regulatory bodies, like legislatures or agencies, and industry-standard organizations, like the National Institute of Standards and Technology (NIST).
Some primary security compliance mandates include:
From a security standpoint, most compliance standards take a risk-based approach. This means that the organization creates a cross-functional team which:
As companies shift security left, developers need to be integrated into the compliance program. Whether developers build internal applications or design software for customers, they have critical information around software components that need to be considered.
Software developers may not need to know the intricacies of compliance mandates, but they should know the basic security best practices.
Despite continuously evolving, complex technologies, several fundamental security principles remain the same. For example, nearly every compliance mandate includes:
Developers regularly review their code for vulnerabilities. Additionally, part of their SDLC practices already incorporates making sure that their software appropriately encrypts data and offers the access controls necessary for applying the principle of least privilege.
Compliance as Code is the process of using automated tools to review code so that teams can build compliance into development and operations. By incorporating compliance policies, checks, and auditing into development, regulatory compliance is no longer a time-consuming burden that development teams need to overcome.
To move towards a Compliance as Code development model, teams need to make sure that they:
At its core, Compliance as Code builds traditional governance, risk, and compliance practices directly into the development process.
As the first word of the phrase, compliance is intended as a key business outcome. However, Compliance as Code goes beyond mitigating compliance risk. As developers integrate compliance into their daily tasks, organizations are able to add technical and operational outcomes, including:
Although compliance only sets minimum security baselines, it needs to be seen as an enabler for development teams and businesses. When it becomes a roadblock, people tend to view it as an expendable process. Unfortunately, in today’s increasingly regulated technology space, development teams must find ways to streamline their compliance activities and avoid regulatory penalties, so that the business remains financially secure.
For software developers, compliance falls into the software development lifecycle (SDLC). Building compliance into the SDLC may sound difficult. However, in many cases developers are already engaging in many of the steps; they just don’t realize it. Understanding how to incorporate Compliance as Code into the SDLC for a more robust risk management strategy can help eliminate the hurdles that people associate with compliance.
As part of the project planning phase, development teams need to consider the compliance mandates that the business needs to meet. For example, if the software will process credit card data, then it needs to meet PCI DSS requirements. If it’s a mobile health app, it needs to meet HIPAA compliance mandates. These security and documentation requirements should be incorporated as early as possible so that remaining steps can build in compliance and risk management.
For each feature and capability, the software design requirements should take into account controls for protecting data and ensuring compliance. For example, if the software will have a login feature, then the developers need to apply the appropriate access control capabilities. If it will be a web application, then they should incorporate mitigating injection attacks as part of this phase.
As the architects develop their design approach, they need to consider the different technologies and tools that can build Compliance as Code into the development processes. For example, a Static Application Security Testing (SAST) tool can provide visibility into potential vulnerabilities and reachable vulnerabilities, giving teams a way to remediate risk as quickly as possible.
Using compliance automation gives development teams a way to continuously monitor their code and repositories for the compliance assurance necessary. By documenting practices throughout the development cycle, they build security and compliance into their daily activities, eliminating the roadblocks associated with traditional manual practices.
Quality assurance should also incorporate compliance assurance. As part of testing software for bugs impacting performance, development teams should also include security and compliance checks. Compliance gives teams a way to “check their work” and ensure they applied best practices.
Compliance and security monitoring should be incorporated into the continuous review and maintenance practices. This means continuously monitoring for new vulnerabilities, remediating security risks as soon as possible, and documenting all activities.
With ShiftLeft, developers can build vulnerability testing directly into their workflows for enhanced security and compliance. ShiftLeft tests the entire application as it is being built for more accurate findings and reduced false positives by proving attackability for software flaws. Not all vulnerabilities can be reached and attacked — in fact, it’s often a small minority that are reachable by hackers and are therefore deemed “attackable” and urgent to repair quickly. With rapid, continuous scanning developers can remediate security risk in the code they are currently working and fix bugs before they become debt.
ShiftLeft CORE provides compliance reports for leadership, partners and auditors. ShiftLeft CORE is the only code analysis platform to provide a software bill of materials (SBoM) that uniquely accounts for the attackability of open source packages used by the app. Unless attackability is determined, the security risk of your application is artificially inflated by vulnerabilities in open source libraries that are impossible for outsiders to reach given the architecture of your application.
Getting to Know Compliance in Software Development was originally published in ShiftLeft Blog on Medium, where people are continuing the conversation by highlighting and responding to this story.
*** This is a Security Bloggers Network syndicated blog from ShiftLeft Blog - Medium authored by The ShiftLeft Team. Read the original post at: https://blog.shiftleft.io/getting-to-know-compliance-in-software-development-4636f69d888e?source=rss----86a4f941c7da---4
Cradlepoint, a unit of Ericsson, today launched a secure access service edge (SASE) platform for branch offices using 5G wireless…
Casey recently was involved in an event that brought hackers and 5G technology together, tune-in to learn about the results…
What is the CCPA, the California Consumer Privacy Act? CCPA, or the California Consumer Privacy Act, is a law in…
Authors/Presenters: *Federico Cernera, Massimo La Morgia, Alessandro Mei, and Francesco Sassi* Many thanks to USENIX for publishing their outstanding USENIX…
Authors/Presenters: *Federico Cernera, Massimo La Morgia, Alessandro Mei, and Francesco Sassi* Many thanks to USENIX for publishing their outstanding USENIX…
A threat group that’s been around since last year and was first identified earlier this month is using three high-profile…